Analysis
-
max time kernel
63s -
max time network
65s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
30-11-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
Startup-script.bat
Resource
win10ltsc2021-20241023-en
General
-
Target
Startup-script.bat
-
Size
98KB
-
MD5
8eb4e23e8bfed1be98837c83b8bd01d6
-
SHA1
a406d12d11002bd87314f6a9edc84bb30c532db7
-
SHA256
a9f9df39909cc07f30ed4e60b0c6024e95c05d4d062c48d15459cf98d52d80c3
-
SHA512
31d2e0390afe06e9668ff9ce2f517b1b656414b9655d4777c1700ded5b954810a969988c9c2c2409b304f1a588a4820471be224bf084edeaa95cb0f8c6a7648b
-
SSDEEP
768:OPWVQjLJcQMmrdtXuMuxgFBSHDTFs+umRs4fPmwN1o76ba4COljXx5xYa0MF9PVL:uQMuxqSjX/v
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 18 IoCs
pid Process 3536 bcdedit.exe 1060 bcdedit.exe 4584 bcdedit.exe 3560 bcdedit.exe 380 bcdedit.exe 2304 bcdedit.exe 3780 bcdedit.exe 4980 bcdedit.exe 3928 bcdedit.exe 3832 bcdedit.exe 3812 bcdedit.exe 2736 bcdedit.exe 4168 bcdedit.exe 2492 bcdedit.exe 4172 bcdedit.exe 3784 bcdedit.exe 3588 bcdedit.exe 3052 bcdedit.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 24 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\MitigationAuditOptions = 22222222222222222222222222222222 reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\MitigationAuditOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\MitigationAuditOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\MitigationAuditOptions = 22222222222222222222222222222222 reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\MitigationAuditOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\MitigationAuditOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\MitigationOptions = 22222222222222222222222222222222 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe reg.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3872 netsh.exe -
pid Process 4712 powershell.exe 5028 powershell.exe 3160 powershell.exe 3580 powershell.exe 3012 powershell.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum reg.exe -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4396 powercfg.exe -
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3928 cmd.exe 3736 reg.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\DiskId reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\DefaultRequestFlags reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Address reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\DefaultRequestFlags reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\PowerCycleCount reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Address reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ClassGUID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport reg.exe -
Kills process with taskkill 1 IoCs
pid Process 4116 taskkill.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.ntfs\shell\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.zip reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "7-Zip.z" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.lha\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tbz\ = "tbz Archive" reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.vhd\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.7z\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.txz\shell\ reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.cpio\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.bz2\shell\ reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.deb\shell\open\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tpz reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\.bzip2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tbz2\ = "tbz2 Archive" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.z reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.swm\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.swm\DefaultIcon\ = "C:\\Program Files\\7-Zip\\7z.dll,15" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\ = "gz Archive" reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.wim\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.hfs\ = "hfs Archive" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xar\ = "7-Zip.xar" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.squashfs\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.cab\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.txz\shell\open\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\.tbz\ = "7-Zip.tbz" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\ = "tgz Archive" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.taz\ = "taz Archive" reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.ntfs\shell\open reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.7z\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tbz\shell\ reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.gzip reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell\open reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.cpio\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.z\shell\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.fat\shell\open reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.squashfs\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.gz\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.hfs\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.vhd\shell\ reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.dmg\shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.001\DefaultIcon\ = "C:\\Program Files\\7-Zip\\7z.dll,9" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.txz\DefaultIcon\ = "C:\\Program Files\\7-Zip\\7z.dll,23" reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.lzma\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.bzip2\shell\open reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.xz\DefaultIcon\ = "C:\\Program Files\\7-Zip\\7z.dll,23" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "7-Zip.txz" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.tbz2\ = "tbz2 Archive" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\ = "rar Archive" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.arj\shell\open\ reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.xar\shell\open\ reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.tgz\ = "tgz Archive" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.wim\DefaultIcon reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.dmg\shell\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.vhd reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.vhd\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.fat reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\7-Zip.tbz2\shell\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gzip\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.swm\shell\open reg.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3012 powershell.exe 4712 powershell.exe 4712 powershell.exe 4168 WMIC.exe 4168 WMIC.exe 4168 WMIC.exe 4168 WMIC.exe 4960 WMIC.exe 4960 WMIC.exe 4960 WMIC.exe 4960 WMIC.exe 3580 powershell.exe 3580 powershell.exe 1888 powershell.exe 1888 powershell.exe 2668 WMIC.exe 2668 WMIC.exe 2668 WMIC.exe 2668 WMIC.exe 5028 powershell.exe 5028 powershell.exe 3160 powershell.exe 3160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4116 taskkill.exe Token: SeShutdownPrivilege 4396 powercfg.exe Token: SeCreatePagefilePrivilege 4396 powercfg.exe Token: SeShutdownPrivilege 4396 powercfg.exe Token: SeCreatePagefilePrivilege 4396 powercfg.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 4712 powershell.exe Token: SeIncreaseQuotaPrivilege 4712 powershell.exe Token: SeSecurityPrivilege 4712 powershell.exe Token: SeTakeOwnershipPrivilege 4712 powershell.exe Token: SeLoadDriverPrivilege 4712 powershell.exe Token: SeSystemProfilePrivilege 4712 powershell.exe Token: SeSystemtimePrivilege 4712 powershell.exe Token: SeProfSingleProcessPrivilege 4712 powershell.exe Token: SeIncBasePriorityPrivilege 4712 powershell.exe Token: SeCreatePagefilePrivilege 4712 powershell.exe Token: SeBackupPrivilege 4712 powershell.exe Token: SeRestorePrivilege 4712 powershell.exe Token: SeShutdownPrivilege 4712 powershell.exe Token: SeDebugPrivilege 4712 powershell.exe Token: SeSystemEnvironmentPrivilege 4712 powershell.exe Token: SeRemoteShutdownPrivilege 4712 powershell.exe Token: SeUndockPrivilege 4712 powershell.exe Token: SeManageVolumePrivilege 4712 powershell.exe Token: 33 4712 powershell.exe Token: 34 4712 powershell.exe Token: 35 4712 powershell.exe Token: 36 4712 powershell.exe Token: SeIncreaseQuotaPrivilege 4168 WMIC.exe Token: SeSecurityPrivilege 4168 WMIC.exe Token: SeTakeOwnershipPrivilege 4168 WMIC.exe Token: SeLoadDriverPrivilege 4168 WMIC.exe Token: SeSystemProfilePrivilege 4168 WMIC.exe Token: SeSystemtimePrivilege 4168 WMIC.exe Token: SeProfSingleProcessPrivilege 4168 WMIC.exe Token: SeIncBasePriorityPrivilege 4168 WMIC.exe Token: SeCreatePagefilePrivilege 4168 WMIC.exe Token: SeBackupPrivilege 4168 WMIC.exe Token: SeRestorePrivilege 4168 WMIC.exe Token: SeShutdownPrivilege 4168 WMIC.exe Token: SeDebugPrivilege 4168 WMIC.exe Token: SeSystemEnvironmentPrivilege 4168 WMIC.exe Token: SeRemoteShutdownPrivilege 4168 WMIC.exe Token: SeUndockPrivilege 4168 WMIC.exe Token: SeManageVolumePrivilege 4168 WMIC.exe Token: 33 4168 WMIC.exe Token: 34 4168 WMIC.exe Token: 35 4168 WMIC.exe Token: 36 4168 WMIC.exe Token: SeIncreaseQuotaPrivilege 4168 WMIC.exe Token: SeSecurityPrivilege 4168 WMIC.exe Token: SeTakeOwnershipPrivilege 4168 WMIC.exe Token: SeLoadDriverPrivilege 4168 WMIC.exe Token: SeSystemProfilePrivilege 4168 WMIC.exe Token: SeSystemtimePrivilege 4168 WMIC.exe Token: SeProfSingleProcessPrivilege 4168 WMIC.exe Token: SeIncBasePriorityPrivilege 4168 WMIC.exe Token: SeCreatePagefilePrivilege 4168 WMIC.exe Token: SeBackupPrivilege 4168 WMIC.exe Token: SeRestorePrivilege 4168 WMIC.exe Token: SeShutdownPrivilege 4168 WMIC.exe Token: SeDebugPrivilege 4168 WMIC.exe Token: SeSystemEnvironmentPrivilege 4168 WMIC.exe Token: SeRemoteShutdownPrivilege 4168 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3820 wrote to memory of 2532 3820 cmd.exe 83 PID 3820 wrote to memory of 2532 3820 cmd.exe 83 PID 3820 wrote to memory of 4116 3820 cmd.exe 84 PID 3820 wrote to memory of 4116 3820 cmd.exe 84 PID 3820 wrote to memory of 776 3820 cmd.exe 89 PID 3820 wrote to memory of 776 3820 cmd.exe 89 PID 3820 wrote to memory of 4688 3820 cmd.exe 90 PID 3820 wrote to memory of 4688 3820 cmd.exe 90 PID 3820 wrote to memory of 3696 3820 cmd.exe 91 PID 3820 wrote to memory of 3696 3820 cmd.exe 91 PID 3820 wrote to memory of 4180 3820 cmd.exe 92 PID 3820 wrote to memory of 4180 3820 cmd.exe 92 PID 3820 wrote to memory of 3160 3820 cmd.exe 93 PID 3820 wrote to memory of 3160 3820 cmd.exe 93 PID 3820 wrote to memory of 3608 3820 cmd.exe 94 PID 3820 wrote to memory of 3608 3820 cmd.exe 94 PID 3820 wrote to memory of 1648 3820 cmd.exe 95 PID 3820 wrote to memory of 1648 3820 cmd.exe 95 PID 3820 wrote to memory of 2344 3820 cmd.exe 96 PID 3820 wrote to memory of 2344 3820 cmd.exe 96 PID 3820 wrote to memory of 1140 3820 cmd.exe 97 PID 3820 wrote to memory of 1140 3820 cmd.exe 97 PID 3820 wrote to memory of 3892 3820 cmd.exe 98 PID 3820 wrote to memory of 3892 3820 cmd.exe 98 PID 3820 wrote to memory of 3848 3820 cmd.exe 99 PID 3820 wrote to memory of 3848 3820 cmd.exe 99 PID 3820 wrote to memory of 4076 3820 cmd.exe 100 PID 3820 wrote to memory of 4076 3820 cmd.exe 100 PID 3820 wrote to memory of 1904 3820 cmd.exe 101 PID 3820 wrote to memory of 1904 3820 cmd.exe 101 PID 3820 wrote to memory of 4436 3820 cmd.exe 102 PID 3820 wrote to memory of 4436 3820 cmd.exe 102 PID 3820 wrote to memory of 4252 3820 cmd.exe 103 PID 3820 wrote to memory of 4252 3820 cmd.exe 103 PID 3820 wrote to memory of 2056 3820 cmd.exe 104 PID 3820 wrote to memory of 2056 3820 cmd.exe 104 PID 3820 wrote to memory of 1036 3820 cmd.exe 105 PID 3820 wrote to memory of 1036 3820 cmd.exe 105 PID 3820 wrote to memory of 3712 3820 cmd.exe 106 PID 3820 wrote to memory of 3712 3820 cmd.exe 106 PID 3820 wrote to memory of 2708 3820 cmd.exe 107 PID 3820 wrote to memory of 2708 3820 cmd.exe 107 PID 3820 wrote to memory of 4672 3820 cmd.exe 108 PID 3820 wrote to memory of 4672 3820 cmd.exe 108 PID 3820 wrote to memory of 4696 3820 cmd.exe 109 PID 3820 wrote to memory of 4696 3820 cmd.exe 109 PID 3820 wrote to memory of 560 3820 cmd.exe 110 PID 3820 wrote to memory of 560 3820 cmd.exe 110 PID 3820 wrote to memory of 1576 3820 cmd.exe 111 PID 3820 wrote to memory of 1576 3820 cmd.exe 111 PID 3820 wrote to memory of 1288 3820 cmd.exe 112 PID 3820 wrote to memory of 1288 3820 cmd.exe 112 PID 3820 wrote to memory of 4852 3820 cmd.exe 113 PID 3820 wrote to memory of 4852 3820 cmd.exe 113 PID 3820 wrote to memory of 3856 3820 cmd.exe 114 PID 3820 wrote to memory of 3856 3820 cmd.exe 114 PID 3820 wrote to memory of 4412 3820 cmd.exe 115 PID 3820 wrote to memory of 4412 3820 cmd.exe 115 PID 3820 wrote to memory of 2044 3820 cmd.exe 116 PID 3820 wrote to memory of 2044 3820 cmd.exe 116 PID 3820 wrote to memory of 3300 3820 cmd.exe 117 PID 3820 wrote to memory of 3300 3820 cmd.exe 117 PID 3820 wrote to memory of 2804 3820 cmd.exe 118 PID 3820 wrote to memory of 2804 3820 cmd.exe 118
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Startup-script.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2532
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.7z" /ve /t REG_SZ /d "7-Zip.7z" /f2⤵PID:776
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.7z" /ve /t REG_SZ /d "7z Archive" /f2⤵PID:4688
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.7z\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,0" /f2⤵PID:3696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.7z\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:4180
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.7z\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:3160
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.7z\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3608
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.7z" /ve /t REG_SZ /d "7-Zip.7z" /f2⤵PID:1648
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.7z" /ve /t REG_SZ /d "7z Archive" /f2⤵PID:2344
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.7z\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,0" /f2⤵PID:1140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.7z\shell" /ve /t REG_SZ /d "" /f2⤵PID:3892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.7z\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3848
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.7z\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4076
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.zip" /ve /t REG_SZ /d "7-Zip.zip" /f2⤵PID:1904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.zip" /ve /t REG_SZ /d "zip Archive" /f2⤵PID:4436
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.zip\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,1" /f2⤵PID:4252
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.zip\shell" /ve /t REG_SZ /d "" /f2⤵PID:2056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.zip\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1036
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.zip\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zip" /ve /t REG_SZ /d "7-Zip.zip" /f2⤵
- Modifies registry class
PID:2708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.zip" /ve /t REG_SZ /d "zip Archive" /f2⤵
- Modifies registry class
PID:4672
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.zip\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,1" /f2⤵PID:4696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.zip\shell" /ve /t REG_SZ /d "" /f2⤵PID:560
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.zip\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.zip\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1288
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.rar" /ve /t REG_SZ /d "7-Zip.rar" /f2⤵PID:4852
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rar" /ve /t REG_SZ /d "rar Archive" /f2⤵PID:3856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rar\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,3" /f2⤵PID:4412
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rar\shell" /ve /t REG_SZ /d "" /f2⤵PID:2044
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rar\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3300
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rar\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2804
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rar" /ve /t REG_SZ /d "7-Zip.rar" /f2⤵PID:5088
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rar" /ve /t REG_SZ /d "rar Archive" /f2⤵
- Modifies registry class
PID:1224
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rar\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,3" /f2⤵PID:4784
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rar\shell" /ve /t REG_SZ /d "" /f2⤵PID:3700
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rar\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3580
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rar\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:896
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.001" /ve /t REG_SZ /d "7-Zip.001" /f2⤵PID:2480
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.001" /ve /t REG_SZ /d "001 Archive" /f2⤵PID:1156
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.001\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,9" /f2⤵PID:3288
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.001\shell" /ve /t REG_SZ /d "" /f2⤵PID:4304
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.001\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4572
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.001\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1148
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.001" /ve /t REG_SZ /d "7-Zip.001" /f2⤵PID:4092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.001" /ve /t REG_SZ /d "001 Archive" /f2⤵PID:1856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.001\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,9" /f2⤵
- Modifies registry class
PID:716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.001\shell" /ve /t REG_SZ /d "" /f2⤵PID:4884
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.001\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3156
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.001\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3864
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.cab" /ve /t REG_SZ /d "7-Zip.cab" /f2⤵PID:4652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cab" /ve /t REG_SZ /d "cab Archive" /f2⤵PID:1652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cab\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,7" /f2⤵PID:1732
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cab\shell" /ve /t REG_SZ /d "" /f2⤵PID:912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cab\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:996
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cab\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1900
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cab" /ve /t REG_SZ /d "7-Zip.cab" /f2⤵PID:1868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cab" /ve /t REG_SZ /d "cab Archive" /f2⤵PID:1356
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cab\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,7" /f2⤵PID:344
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cab\shell" /ve /t REG_SZ /d "" /f2⤵PID:4232
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cab\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cab\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:3692
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.iso" /ve /t REG_SZ /d "7-Zip.iso" /f2⤵PID:1484
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.iso" /ve /t REG_SZ /d "iso Archive" /f2⤵PID:3416
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.iso\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,8" /f2⤵PID:2536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.iso\shell" /ve /t REG_SZ /d "" /f2⤵PID:1836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.iso\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1528
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.iso\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iso" /ve /t REG_SZ /d "7-Zip.iso" /f2⤵PID:1820
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.iso" /ve /t REG_SZ /d "iso Archive" /f2⤵PID:2088
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.iso\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,8" /f2⤵PID:2644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.iso\shell" /ve /t REG_SZ /d "" /f2⤵PID:2164
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.iso\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3728
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.iso\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:796
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.xz" /ve /t REG_SZ /d "7-Zip.xz" /f2⤵PID:4916
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xz" /ve /t REG_SZ /d "xz Archive" /f2⤵PID:2084
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,23" /f2⤵PID:2504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xz\shell" /ve /t REG_SZ /d "" /f2⤵PID:2252
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4480
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xz" /ve /t REG_SZ /d "7-Zip.xz" /f2⤵PID:1056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xz" /ve /t REG_SZ /d "xz Archive" /f2⤵PID:4768
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,23" /f2⤵
- Modifies registry class
PID:504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xz\shell" /ve /t REG_SZ /d "" /f2⤵PID:4380
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1756
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4976
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.txz" /ve /t REG_SZ /d "7-Zip.txz" /f2⤵PID:4516
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.txz" /ve /t REG_SZ /d "txz Archive" /f2⤵PID:4588
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.txz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,23" /f2⤵
- Modifies registry class
PID:1816
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.txz\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:1808
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.txz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4704
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.txz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4764
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txz" /ve /t REG_SZ /d "7-Zip.txz" /f2⤵
- Modifies registry class
PID:4000
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.txz" /ve /t REG_SZ /d "txz Archive" /f2⤵PID:4188
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.txz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,23" /f2⤵PID:2484
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.txz\shell" /ve /t REG_SZ /d "" /f2⤵PID:4184
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.txz\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:384
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.txz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1264
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.lzma" /ve /t REG_SZ /d "7-Zip.lzma" /f2⤵PID:4460
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzma" /ve /t REG_SZ /d "lzma Archive" /f2⤵PID:396
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzma\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,16" /f2⤵PID:1492
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzma\shell" /ve /t REG_SZ /d "" /f2⤵PID:3344
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzma\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3872
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzma\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:2132
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lzma" /ve /t REG_SZ /d "7-Zip.lzma" /f2⤵PID:4948
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzma" /ve /t REG_SZ /d "lzma Archive" /f2⤵PID:1448
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzma\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,16" /f2⤵PID:3360
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzma\shell" /ve /t REG_SZ /d "" /f2⤵PID:328
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzma\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:444
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzma\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1664
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.tar" /ve /t REG_SZ /d "7-Zip.tar" /f2⤵PID:4720
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tar" /ve /t REG_SZ /d "tar Archive" /f2⤵PID:4140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tar\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,13" /f2⤵PID:1372
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tar\shell" /ve /t REG_SZ /d "" /f2⤵PID:4888
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tar\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:5020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tar\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2240
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tar" /ve /t REG_SZ /d "7-Zip.tar" /f2⤵PID:1724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tar" /ve /t REG_SZ /d "tar Archive" /f2⤵PID:5056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tar\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,13" /f2⤵PID:1336
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tar\shell" /ve /t REG_SZ /d "" /f2⤵PID:2020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tar\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tar\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3552
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.cpio" /ve /t REG_SZ /d "7-Zip.cpio" /f2⤵PID:1612
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cpio" /ve /t REG_SZ /d "cpio Archive" /f2⤵PID:3612
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cpio\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,12" /f2⤵PID:1576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cpio\shell" /ve /t REG_SZ /d "" /f2⤵PID:4980
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cpio\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:3480
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.cpio\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:5064
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpio" /ve /t REG_SZ /d "7-Zip.cpio" /f2⤵PID:3608
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cpio" /ve /t REG_SZ /d "cpio Archive" /f2⤵PID:5076
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cpio\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,12" /f2⤵PID:3968
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cpio\shell" /ve /t REG_SZ /d "" /f2⤵PID:3716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cpio\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3664
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.cpio\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4052
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.bz2" /ve /t REG_SZ /d "7-Zip.bz2" /f2⤵PID:3740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bz2" /ve /t REG_SZ /d "bz2 Archive" /f2⤵PID:708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bz2\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:3568
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bz2\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:4396
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bz2\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4064
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bz2\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3268
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz2" /ve /t REG_SZ /d "7-Zip.bz2" /f2⤵PID:3500
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bz2" /ve /t REG_SZ /d "bz2 Archive" /f2⤵PID:2580
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bz2\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:3884
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell" /ve /t REG_SZ /d "" /f2⤵PID:4124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:2740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4756
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.bzip2" /ve /t REG_SZ /d "7-Zip.bzip2" /f2⤵
- Modifies registry class
PID:4668
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bzip2" /ve /t REG_SZ /d "bzip2 Archive" /f2⤵PID:2364
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bzip2\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:4324
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bzip2\shell" /ve /t REG_SZ /d "" /f2⤵PID:1936
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bzip2\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:896
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.bzip2\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2480
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bzip2" /ve /t REG_SZ /d "7-Zip.bzip2" /f2⤵PID:1156
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bzip2" /ve /t REG_SZ /d "bzip2 Archive" /f2⤵PID:3288
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bzip2\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:4304
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell" /ve /t REG_SZ /d "" /f2⤵PID:4572
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:1148
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.tbz2" /ve /t REG_SZ /d "7-Zip.tbz2" /f2⤵PID:1856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz2" /ve /t REG_SZ /d "tbz2 Archive" /f2⤵
- Modifies registry class
PID:716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz2\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:4884
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz2\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:3156
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz2\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3864
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz2\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz2" /ve /t REG_SZ /d "7-Zip.tbz2" /f2⤵PID:1652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz2" /ve /t REG_SZ /d "tbz2 Archive" /f2⤵
- Modifies registry class
PID:1732
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz2\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz2\shell" /ve /t REG_SZ /d "" /f2⤵PID:996
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz2\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1900
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz2\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.tbz" /ve /t REG_SZ /d "7-Zip.tbz" /f2⤵
- Modifies registry class
PID:1356
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz" /ve /t REG_SZ /d "tbz Archive" /f2⤵PID:344
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:4232
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz\shell" /ve /t REG_SZ /d "" /f2⤵PID:1992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3692
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tbz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1484
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz" /ve /t REG_SZ /d "7-Zip.tbz" /f2⤵PID:3416
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz" /ve /t REG_SZ /d "tbz Archive" /f2⤵
- Modifies registry class
PID:2536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,2" /f2⤵PID:1836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:1528
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tbz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4208
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.gz" /ve /t REG_SZ /d "7-Zip.gz" /f2⤵PID:1820
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gz" /ve /t REG_SZ /d "gz Archive" /f2⤵PID:2644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵PID:2164
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gz\shell" /ve /t REG_SZ /d "" /f2⤵PID:3728
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:796
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:4916
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz" /ve /t REG_SZ /d "7-Zip.gz" /f2⤵PID:2084
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gz" /ve /t REG_SZ /d "gz Archive" /f2⤵
- Modifies registry class
PID:2504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵PID:1740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gz\shell" /ve /t REG_SZ /d "" /f2⤵PID:4724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1216
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:5008
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.gzip" /ve /t REG_SZ /d "7-Zip.gzip" /f2⤵PID:4284
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gzip" /ve /t REG_SZ /d "gzip Archive" /f2⤵
- Modifies registry class
PID:3744
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gzip\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵PID:2576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gzip\shell" /ve /t REG_SZ /d "" /f2⤵PID:4580
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gzip\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3012
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.gzip\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4524
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gzip" /ve /t REG_SZ /d "7-Zip.gzip" /f2⤵PID:2592
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gzip" /ve /t REG_SZ /d "gzip Archive" /f2⤵PID:2584
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gzip\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵PID:792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gzip\shell" /ve /t REG_SZ /d "" /f2⤵PID:4704
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gzip\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:2772
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.gzip\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:3948
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.tgz" /ve /t REG_SZ /d "7-Zip.tgz" /f2⤵PID:1276
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tgz" /ve /t REG_SZ /d "tgz Archive" /f2⤵
- Modifies registry class
PID:4772
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tgz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵PID:3056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tgz\shell" /ve /t REG_SZ /d "" /f2⤵PID:4780
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tgz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tgz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1624
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tgz" /ve /t REG_SZ /d "7-Zip.tgz" /f2⤵PID:656
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tgz" /ve /t REG_SZ /d "tgz Archive" /f2⤵
- Modifies registry class
PID:2668
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tgz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵
- Modifies registry class
PID:2352
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell" /ve /t REG_SZ /d "" /f2⤵PID:5084
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3880
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.tpz" /ve /t REG_SZ /d "7-Zip.tpz" /f2⤵PID:4236
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tpz" /ve /t REG_SZ /d "tpz Archive" /f2⤵PID:4228
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tpz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵PID:1672
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tpz\shell" /ve /t REG_SZ /d "" /f2⤵PID:2268
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tpz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:116
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.tpz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1332
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tpz" /ve /t REG_SZ /d "7-Zip.tpz" /f2⤵
- Modifies registry class
PID:1688
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tpz" /ve /t REG_SZ /d "tpz Archive" /f2⤵PID:272
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tpz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,14" /f2⤵PID:4076
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tpz\shell" /ve /t REG_SZ /d "" /f2⤵PID:1904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tpz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4436
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.tpz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4252
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.z" /ve /t REG_SZ /d "7-Zip.z" /f2⤵PID:2096
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.z" /ve /t REG_SZ /d "z Archive" /f2⤵PID:1036
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.z\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,5" /f2⤵PID:3712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.z\shell" /ve /t REG_SZ /d "" /f2⤵PID:2708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.z\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4672
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.z\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.z" /ve /t REG_SZ /d "7-Zip.z" /f2⤵
- Modifies registry class
PID:3312
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.z" /ve /t REG_SZ /d "z Archive" /f2⤵
- Modifies registry class
PID:560
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.z\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,5" /f2⤵PID:1288
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.z\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:4852
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.z\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:2156
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.z\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3920
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.taz" /ve /t REG_SZ /d "7-Zip.taz" /f2⤵PID:2436
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.taz" /ve /t REG_SZ /d "taz Archive" /f2⤵PID:3988
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.taz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,5" /f2⤵PID:3972
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.taz\shell" /ve /t REG_SZ /d "" /f2⤵PID:3668
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.taz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3984
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.taz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4876
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.taz" /ve /t REG_SZ /d "7-Zip.taz" /f2⤵PID:3504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.taz" /ve /t REG_SZ /d "taz Archive" /f2⤵
- Modifies registry class
PID:3408
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.taz\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,5" /f2⤵PID:3908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.taz\shell" /ve /t REG_SZ /d "" /f2⤵PID:3684
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.taz\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.taz\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.lzh" /ve /t REG_SZ /d "7-Zip.lzh" /f2⤵PID:2628
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzh" /ve /t REG_SZ /d "lzh Archive" /f2⤵PID:2016
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzh\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,6" /f2⤵PID:2136
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzh\shell" /ve /t REG_SZ /d "" /f2⤵PID:3724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzh\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:2292
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lzh\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3860
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lzh" /ve /t REG_SZ /d "7-Zip.lzh" /f2⤵PID:2308
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzh" /ve /t REG_SZ /d "lzh Archive" /f2⤵PID:460
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzh\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,6" /f2⤵PID:1248
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzh\shell" /ve /t REG_SZ /d "" /f2⤵PID:2036
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzh\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1812
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lzh\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2028
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.lha" /ve /t REG_SZ /d "7-Zip.lha" /f2⤵PID:5060
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lha" /ve /t REG_SZ /d "lha Archive" /f2⤵PID:5040
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lha\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,6" /f2⤵PID:2092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lha\shell" /ve /t REG_SZ /d "" /f2⤵PID:1328
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lha\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:3168
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.lha\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1588
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lha" /ve /t REG_SZ /d "7-Zip.lha" /f2⤵PID:2640
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lha" /ve /t REG_SZ /d "lha Archive" /f2⤵PID:2752
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lha\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,6" /f2⤵PID:1620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lha\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:2568
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lha\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:2440
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.lha\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4676
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.rpm" /ve /t REG_SZ /d "7-Zip.rpm" /f2⤵PID:3380
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rpm" /ve /t REG_SZ /d "rpm Archive" /f2⤵PID:2688
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rpm\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,10" /f2⤵PID:1968
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rpm\shell" /ve /t REG_SZ /d "" /f2⤵PID:908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rpm\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1360
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.rpm\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rpm" /ve /t REG_SZ /d "7-Zip.rpm" /f2⤵PID:4908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rpm" /ve /t REG_SZ /d "rpm Archive" /f2⤵PID:2276
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rpm\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,10" /f2⤵PID:4836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rpm\shell" /ve /t REG_SZ /d "" /f2⤵PID:3236
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rpm\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:2124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rpm\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2368
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.deb" /ve /t REG_SZ /d "7-Zip.deb" /f2⤵PID:1400
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.deb" /ve /t REG_SZ /d "deb Archive" /f2⤵PID:3412
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.deb\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,11" /f2⤵PID:2992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.deb\shell" /ve /t REG_SZ /d "" /f2⤵PID:2488
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.deb\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1564
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.deb\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:2224
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.deb" /ve /t REG_SZ /d "7-Zip.deb" /f2⤵PID:4636
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.deb" /ve /t REG_SZ /d "deb Archive" /f2⤵PID:1504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.deb\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,11" /f2⤵PID:1404
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.deb\shell" /ve /t REG_SZ /d "" /f2⤵PID:3704
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.deb\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4448
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.deb\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.arj" /ve /t REG_SZ /d "7-Zip.arj" /f2⤵PID:1056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.arj" /ve /t REG_SZ /d "arj Archive" /f2⤵PID:1368
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.arj\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,4" /f2⤵PID:3744
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.arj\shell" /ve /t REG_SZ /d "" /f2⤵PID:4576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.arj\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:4520
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.arj\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2532
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.arj" /ve /t REG_SZ /d "7-Zip.arj" /f2⤵PID:1084
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.arj" /ve /t REG_SZ /d "arj Archive" /f2⤵PID:4532
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.arj\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,4" /f2⤵PID:404
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.arj\shell" /ve /t REG_SZ /d "" /f2⤵PID:4260
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.arj\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:2620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.arj\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.vhd" /ve /t REG_SZ /d "7-Zip.vhd" /f2⤵PID:4116
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.vhd" /ve /t REG_SZ /d "vhd Archive" /f2⤵PID:4496
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.vhd\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,20" /f2⤵PID:4892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.vhd\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:4620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.vhd\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:396
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.vhd\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1492
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vhd" /ve /t REG_SZ /d "7-Zip.vhd" /f2⤵PID:3344
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.vhd" /ve /t REG_SZ /d "vhd Archive" /f2⤵
- Modifies registry class
PID:3872
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.vhd\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,20" /f2⤵
- Modifies registry class
PID:1644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.vhd\shell" /ve /t REG_SZ /d "" /f2⤵PID:3696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.vhd\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1984
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.vhd\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3932
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.wim" /ve /t REG_SZ /d "7-Zip.wim" /f2⤵PID:328
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.wim" /ve /t REG_SZ /d "wim Archive" /f2⤵PID:2344
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.wim\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,15" /f2⤵PID:1140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.wim\shell" /ve /t REG_SZ /d "" /f2⤵PID:3892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.wim\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:216
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.wim\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:4740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wim" /ve /t REG_SZ /d "7-Zip.wim" /f2⤵PID:4888
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.wim" /ve /t REG_SZ /d "wim Archive" /f2⤵PID:564
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.wim\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,15" /f2⤵
- Modifies registry class
PID:3328
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.wim\shell" /ve /t REG_SZ /d "" /f2⤵PID:2056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.wim\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.wim\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1336
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.swm" /ve /t REG_SZ /d "7-Zip.swm" /f2⤵PID:2020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.swm" /ve /t REG_SZ /d "swm Archive" /f2⤵PID:3140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.swm\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,15" /f2⤵
- Modifies registry class
PID:3552
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.swm\shell" /ve /t REG_SZ /d "" /f2⤵PID:1612
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.swm\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:3612
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.swm\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.swm" /ve /t REG_SZ /d "7-Zip.swm" /f2⤵PID:4980
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.swm" /ve /t REG_SZ /d "swm Archive" /f2⤵PID:4248
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.swm\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,15" /f2⤵PID:5064
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.swm\shell" /ve /t REG_SZ /d "" /f2⤵PID:3608
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.swm\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:5076
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.swm\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3968
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.fat" /ve /t REG_SZ /d "7-Zip.fat" /f2⤵PID:3716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.fat" /ve /t REG_SZ /d "fat Archive" /f2⤵PID:3664
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.fat\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,21" /f2⤵PID:4052
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.fat\shell" /ve /t REG_SZ /d "" /f2⤵PID:3740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.fat\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.fat\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3400
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.fat" /ve /t REG_SZ /d "7-Zip.fat" /f2⤵PID:3568
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.fat" /ve /t REG_SZ /d "fat Archive" /f2⤵
- Modifies registry class
PID:4064
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.fat\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,21" /f2⤵PID:3052
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.fat\shell" /ve /t REG_SZ /d "" /f2⤵PID:3500
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.fat\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:2580
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.fat\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3884
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.ntfs" /ve /t REG_SZ /d "7-Zip.ntfs" /f2⤵PID:4124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.ntfs" /ve /t REG_SZ /d "ntfs Archive" /f2⤵PID:2740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.ntfs\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,22" /f2⤵PID:4756
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.ntfs\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:1160
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.ntfs\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:2364
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.ntfs\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2732
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ntfs" /ve /t REG_SZ /d "7-Zip.ntfs" /f2⤵PID:3284
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.ntfs" /ve /t REG_SZ /d "ntfs Archive" /f2⤵PID:2884
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.ntfs\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,22" /f2⤵PID:1964
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.ntfs\shell" /ve /t REG_SZ /d "" /f2⤵PID:1068
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.ntfs\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:956
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.ntfs\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2944
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.dmg" /ve /t REG_SZ /d "7-Zip.dmg" /f2⤵PID:2080
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.dmg" /ve /t REG_SZ /d "dmg Archive" /f2⤵PID:824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.dmg\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,17" /f2⤵PID:320
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.dmg\shell" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:1108
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.dmg\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1632
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.dmg\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:3156
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dmg" /ve /t REG_SZ /d "7-Zip.dmg" /f2⤵PID:2228
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.dmg" /ve /t REG_SZ /d "dmg Archive" /f2⤵PID:3864
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.dmg\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,17" /f2⤵PID:1652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.dmg\shell" /ve /t REG_SZ /d "" /f2⤵PID:1732
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.dmg\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.dmg\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:996
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.hfs" /ve /t REG_SZ /d "7-Zip.hfs" /f2⤵PID:1900
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.hfs" /ve /t REG_SZ /d "hfs Archive" /f2⤵PID:1868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.hfs\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,18" /f2⤵PID:1356
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.hfs\shell" /ve /t REG_SZ /d "" /f2⤵PID:344
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.hfs\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4232
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.hfs\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:1992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hfs" /ve /t REG_SZ /d "7-Zip.hfs" /f2⤵PID:3692
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.hfs" /ve /t REG_SZ /d "hfs Archive" /f2⤵
- Modifies registry class
PID:1484
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.hfs\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,18" /f2⤵PID:3416
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.hfs\shell" /ve /t REG_SZ /d "" /f2⤵PID:2536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.hfs\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.hfs\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1528
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.xar" /ve /t REG_SZ /d "7-Zip.xar" /f2⤵PID:3124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xar" /ve /t REG_SZ /d "xar Archive" /f2⤵PID:4208
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xar\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,19" /f2⤵PID:1820
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xar\shell" /ve /t REG_SZ /d "" /f2⤵PID:2644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xar\shell\open" /ve /t REG_SZ /d "" /f2⤵
- Modifies registry class
PID:2164
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.xar\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:1884
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xar" /ve /t REG_SZ /d "7-Zip.xar" /f2⤵
- Modifies registry class
PID:1852
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xar" /ve /t REG_SZ /d "xar Archive" /f2⤵PID:2504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xar\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,19" /f2⤵PID:4724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xar\shell" /ve /t REG_SZ /d "" /f2⤵PID:3428
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xar\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4284
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.xar\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:4380
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\.squashfs" /ve /t REG_SZ /d "7-Zip.squashfs" /f2⤵PID:4504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.squashfs" /ve /t REG_SZ /d "squashfs Archive" /f2⤵PID:804
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.squashfs\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,24" /f2⤵PID:1736
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.squashfs\shell" /ve /t REG_SZ /d "" /f2⤵PID:2596
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.squashfs\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:1348
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\Classes\7-Zip.squashfs\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵
- Modifies registry class
PID:792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.squashfs" /ve /t REG_SZ /d "7-Zip.squashfs" /f2⤵PID:4196
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.squashfs" /ve /t REG_SZ /d "squashfs Archive" /f2⤵PID:4592
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.squashfs\DefaultIcon" /ve /t REG_SZ /d "C:\Program Files\7-Zip\7z.dll,24" /f2⤵
- Modifies registry class
PID:4188
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.squashfs\shell" /ve /t REG_SZ /d "" /f2⤵PID:1544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.squashfs\shell\open" /ve /t REG_SZ /d "" /f2⤵PID:4088
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.squashfs\shell\open\command" /ve /t REG_SZ /d "\"C:\Program Files\7-Zip\7zFM.exe\" \"%1\"" /f2⤵PID:2904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "GlobalAssocChangedCounter" /t REG_DWORD /d "10" /f2⤵PID:4460
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM\Columns" /v "RootFolder" /t REG_BINARY /d "0100000000000000010000000400000001000000A0000000" /f2⤵PID:2204
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "FolderHistory" /t REG_BINARY /d "0000" /f2⤵PID:2208
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "PanelPath0" /t REG_SZ /d "" /f2⤵PID:1168
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "FlatViewArc0" /t REG_DWORD /d "0" /f2⤵PID:1628
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "PanelPath1" /t REG_SZ /d "" /f2⤵PID:728
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "FlatViewArc1" /t REG_DWORD /d "0" /f2⤵PID:4712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "ListMode" /t REG_DWORD /d "771" /f2⤵PID:3160
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "Position" /t REG_BINARY /d "3400000034000000D40500002B03000000000000" /f2⤵PID:3360
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\SOFTWARE\7-Zip\FM" /v "Panels" /t REG_BINARY /d "0100000000000000C6020000" /f2⤵PID:1672
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:444
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationAuditOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1664
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4720
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationAuditOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3848
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1372
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationAuditOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3096
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1904
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationAuditOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4436
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4004
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationAuditOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5056
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2848
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationAuditOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3548
-
-
C:\Windows\system32\bcdedit.exebcdedit /deletevalue useplatformclock2⤵
- Modifies boot configuration data using bcdedit
PID:3536
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes2⤵
- Modifies boot configuration data using bcdedit
PID:1060
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootmenupolicy legacy2⤵
- Modifies boot configuration data using bcdedit
PID:4584
-
-
C:\Windows\system32\bcdedit.exebcdedit /set testsigning on2⤵
- Modifies boot configuration data using bcdedit
PID:3560
-
-
C:\Windows\system32\bcdedit.exebcdedit /set debug No2⤵
- Modifies boot configuration data using bcdedit
PID:380
-
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No2⤵
- Modifies boot configuration data using bcdedit
PID:2304
-
-
C:\Windows\system32\bcdedit.exebcdedit /set ems No2⤵
- Modifies boot configuration data using bcdedit
PID:3780
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootems No2⤵
- Modifies boot configuration data using bcdedit
PID:4980
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disableelamdrivers Yes2⤵
- Modifies boot configuration data using bcdedit
PID:3928
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tpmbootentropy ForceDisable2⤵
- Modifies boot configuration data using bcdedit
PID:3832
-
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype Off2⤵
- Modifies boot configuration data using bcdedit
PID:3812
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2736
-
-
C:\Windows\system32\bcdedit.exebcdedit /set vsmlaunchtype Off2⤵
- Modifies boot configuration data using bcdedit
PID:4168
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tscsyncpolicy enhanced2⤵
- Modifies boot configuration data using bcdedit
PID:2492
-
-
C:\Windows\system32\bcdedit.exebcdedit /set vm No2⤵
- Modifies boot configuration data using bcdedit
PID:4172
-
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 82⤵
- Modifies boot configuration data using bcdedit
PID:3784
-
-
C:\Windows\system32\bcdedit.exebcdedit /set nx alwaysoff2⤵
- Modifies boot configuration data using bcdedit
PID:3588
-
-
C:\Windows\system32\powercfg.exepowercfg -h off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\system32\label.exelabel C: reb0rnOS2⤵PID:3856
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} description "2022-Server | reb0rnOS"2⤵
- Modifies boot configuration data using bcdedit
PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"2⤵PID:3500
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"3⤵
- Checks SCSI registry key(s)
PID:2580
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2804
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f2⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"2⤵PID:4668
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"3⤵
- Checks SCSI registry key(s)
PID:4664
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1160
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"2⤵PID:896
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"3⤵
- Checks SCSI registry key(s)
PID:2480
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"2⤵PID:4304
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"3⤵
- Checks SCSI registry key(s)
PID:4572
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2944
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"2⤵PID:4508
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"3⤵
- Checks SCSI registry key(s)
PID:716
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4884
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f2⤵PID:2612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"2⤵PID:2312
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"3⤵
- Checks SCSI registry key(s)
PID:3864
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"2⤵PID:1732
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"3⤵
- Checks SCSI registry key(s)
PID:912
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:500
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnumerationRetryCount" /t REG_DWORD /d "0" /f2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"2⤵PID:1868
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"3⤵
- Checks SCSI registry key(s)
PID:1356
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1832
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f2⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"2⤵PID:1992
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"3⤵
- Checks SCSI registry key(s)
PID:3692
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"2⤵PID:1400
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"3⤵
- Checks SCSI registry key(s)
PID:3412
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"2⤵PID:2488
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"3⤵
- Checks SCSI registry key(s)
PID:1564
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1880
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2668&SUBSYS_11001AF4&REV_01\3&11583659&0&28\Device Parameters\WDF" /v "WdfDirectedPowerTransitionEnable" /t REG_DWORD /d "0" /f2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"2⤵PID:1504
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"3⤵
- Checks SCSI registry key(s)
PID:1404
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:732
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:4448
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:4012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"2⤵PID:2908
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"3⤵
- Checks SCSI registry key(s)
PID:504
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2576
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -file "C:\Windows\Modules\Disable-PNP.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f2⤵PID:2620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f2⤵PID:2652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f2⤵PID:4116
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions" | findstr "HKEY"2⤵PID:4892
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"3⤵PID:4620
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4460
-
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{29ec2a61-6e2c-4454-a213-668a1bf5d7c0}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:1492
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{9c87efec-a16e-47fa-9892-d0e60788dc28}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:3344
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-AutologgerConfig -Name "autologger-diagtrack-listener", "cellcore", "cloudexperiencehostoobe", "lwtnetlog", "mellanox-Kernel", "microsoft-windows-assignedaccess-trace", "microsoft-windows-rdp-graphics-rdpidd-trace", "microsoft-windows-setup", "netcore", "ntfslog", "peauthlog", "radiomgr", "readyboot", "refslog", "setupplatform", "setupplatformtel", "spoolerlogger", "tcpiplogger", "wifisession", "wifidriverihvsessionrepro", "wifidriverihvsession", "wfp-ipsec-trace", "ubpm", "tilestore"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" /v "*SpeedDuplex" /s | findstr "HKEY"2⤵PID:3928
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" /v "*SpeedDuplex" /s3⤵PID:3832
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get NumberOfCores | findstr "."2⤵PID:2736
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get NumberOfCores3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\system32\findstr.exefindstr "."3⤵PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID| findstr /L "PCI\VEN_"2⤵PID:3784
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter get PNPDeviceID3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960
-
-
C:\Windows\system32\findstr.exefindstr /L "PCI\VEN_"3⤵PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18" /v "Driver"2⤵PID:2044
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18" /v "Driver"3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo {4d36e972-e325-11ce-bfc1-08002be10318}\0001 | findstr "{"2⤵PID:5088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo {4d36e972-e325-11ce-bfc1-08002be10318}\0001 "3⤵PID:3300
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:3724
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*NumRssQueues" /t REG_SZ /d "2" /f2⤵PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoLogo -NoProfile -NonInteractive -Command "Enable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip,ms_pacer ; Disable-NetAdapterBinding -Name "*" -ComponentID ms_lldp,ms_lltdio,ms_implat,ms_rspndr,ms_tcpip6,ms_server,ms_msclient"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Disable-NetFirewallRule2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AFD\Parameters" /v "DisableRawSecurity" /t REG_DWORD /d "1" /f2⤵PID:3956
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AFD\Parameters" /v "DynamicSendBufferDisable" /t REG_DWORD /d "0" /f2⤵PID:2576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AFD\Parameters" /v "IrpStackSize" /t REG_DWORD /d "50" /f2⤵PID:2908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AFD\Parameters" /v "PriorityBoost" /t REG_DWORD /d "0" /f2⤵PID:4764
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AFD\Parameters" /v "DoNotHoldNicBuffers" /t REG_DWORD /d "1" /f2⤵PID:792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "EnableNicAutoPowerSaverInSleepStudy" /t REG_DWORD /d "0" /f2⤵PID:2340
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "ImplicitPowerRefManagement" /t REG_DWORD /d "0" /f2⤵PID:4520
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "DebugLoggingMode" /t REG_DWORD /d "0" /f2⤵PID:1084
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "TrackNblOwner" /t REG_DWORD /d "0" /f2⤵PID:1736
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "DisableNDISWatchDog" /t REG_DWORD /d "1" /f2⤵PID:1276
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "LogPages" /t REG_DWORD /d "0" /f2⤵PID:4184
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "ForceLogsInMiniDump" /t REG_DWORD /d "0" /f2⤵PID:384
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\services\NDIS\Parameters" /v "DisableWDIWatchdogForceBugcheck" /t REG_DWORD /d "1" /f2⤵PID:1264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:400
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:1396
-
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C87EFEC-A16E-47FA-9892-D0E60788DC28}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f2⤵PID:3436
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C87EFEC-A16E-47FA-9892-D0E60788DC28}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f2⤵PID:1628
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C87EFEC-A16E-47FA-9892-D0E60788DC28}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f2⤵PID:5084
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-NetOffloadGlobalSetting -PacketCoalescingFilter disabled2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-NetTCPSetting -SettingName InternetCustom -Timestamps Disabled2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible" | findstr "HKEY"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3928 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible"3⤵
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
- System Network Configuration Discovery: Internet Connection Discovery
PID:3736
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:708
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a94e0a262fe8ab5c0ec0872d36fcbd48
SHA1877a5ed6269746fe8827f715ef95136ea81c5374
SHA2564e689eb0bbeab4759a79c590a4d06d520a12974cf6cb79753832a5582a1ff0c9
SHA51292a1ebcb2e4e4279e6cb0ff9407ba363ecb27c47b8cd4441655d9ecf811b990d066856f4738f23f8d9b12d1f3d0de75ef6a101fed056f5392e7140111550ca54
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD58b2db01eb3d84d6464ddaf45de6a02af
SHA1154a9380fadfff21375a56adfd623ce919a609d6
SHA256fe7831e6ff7fb61e50eb0aff65d420e4f822897bd8a5a66fcd5878cfefb358d9
SHA51291b40330adb4803dbfe45cb0f27e402d1ba506bc8cab1634fac220f380199408594cac4a11a66e73a401b22e29ae6250a77c063b3038874fc778e88d00a3bf34
-
Filesize
1KB
MD5aa5283e9ec3342aeaf0e94aaf95e1d60
SHA1abfdb84348a758318138a4ca88e26db0dd016c6c
SHA256a6dfb7bf7a3f712f8473b5af110f220b1070dbd1e13d49012a1ffc5ec19b8e3e
SHA5127fb35fb53af60bd64decb17cfb70a74339045dcac9237ff2a23d036b4eddb1b998f8d4ff16d63f51a6efc20c85b016a1b516b3c18445e01df427c7503a723b04
-
Filesize
1KB
MD5bdf75b0270ca323f933ea5ae35f925c2
SHA164d0eea7ce8476fa5140fe22b3ee99b61b00313e
SHA256a5dabcf24d404c2f8ecf8821e01b79ebcfeeb18ffee728a1821e298f964b7911
SHA51212e12a27e4d78b2afa2ea0ebc0b9237d69186298ae7d855eabc6aa93b5969501225c3ec96610049c8c049a18859bcc01be3c3f2cb83806545bd0d1df57ceaec2
-
Filesize
1KB
MD55fb7d4aa786b87ad4abf08889e8e167d
SHA18513bfacb1079250a182e97043ed14062ff1c388
SHA256f199d5b16a176c5de227741553cbe00d4b3bf94cbb00547782563f23f899cc51
SHA512ab187cb8ea78a99767d4b0db5bcb0f8f40114a9fdff6c0faa05ebbefa2bdca847d8563ba33cee769ee66f39df8b7981ffa3360d3057ca88a63ae0ef2c4c847d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82