Analysis Overview
SHA256
1f75a4165bfd37b5c497d771ddc81c06daf4303f23973dd957ce3fcb52fd6966
Threat Level: Known bad
The file blackbird.exe was found to be: Known bad.
Malicious Activity Summary
Turns off Windows Defender SpyNet reporting
Stops running service(s)
Possible privilege escalation attempt
Modifies file permissions
UPX packed file
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
Enumerates processes with tasklist
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Gathers network information
Delays execution with timeout.exe
Disables Windows logging functionality
Uses Task Scheduler COM API
Modifies registry class
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-18 14:57
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-18 14:57
Reported
2024-03-18 15:02
Platform
win7-20240221-en
Max time kernel
110s
Max time network
120s
Command Line
Signatures
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Windows logging functionality
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | N/A | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\blackbird.exe
"C:\Users\Admin\AppData\Local\Temp\blackbird.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat C:\Users\Admin\AppData\Local\Temp\blackbird.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\; "
C:\Windows\system32\find.exe
find /C /I "\system32;"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\; "
C:\Windows\system32\find.exe
find /C /I "\wbem;"
C:\Windows\system32\reg.exe
reg add HKLM /F
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\shutdown.exe
shutdown /a
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /node:"IKJSPGIM" COMPUTERSYSTEM GET USERNAME | findstr /i "IKJSPGIM"
C:\Windows\System32\Wbem\WMIC.exe
wmic /node:"IKJSPGIM" COMPUTERSYSTEM GET USERNAME
C:\Windows\system32\findstr.exe
findstr /i "IKJSPGIM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\blackbirds_temp "
C:\Windows\system32\findstr.exe
findstr /i ".*\\blackbirds_temp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ "
C:\Windows\system32\findstr.exe
findstr /i "powershell"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mode con|findstr /n "^"|findstr /l /b /c:"5:"
C:\Windows\system32\mode.com
mode con
C:\Windows\system32\findstr.exe
findstr /n "^"
C:\Windows\system32\findstr.exe
findstr /l /b /c:"5:"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Desktop"
C:\Windows\system32\findstr.exe
findstr /ir "\<PreferredUILanguages.*REG_MULTI_SZ "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage" | findstr /ir "\<InstallLanguage.*REG_SZ "
C:\Windows\system32\reg.exe
reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage"
C:\Windows\system32\findstr.exe
findstr /ir "\<InstallLanguage.*REG_SZ "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_useraccount where name='Admin' get sid"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_useraccount where name='Admin' get sid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files (x86)\" "
C:\Windows\system32\findstr.exe
findstr /irc:"NVIDIA Corporation"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:60 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows
C:\Windows\system32\findstr.exe
findstr /irc:".*\\Windows\\WindowsUpdate$"
C:\Windows\system32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
C:\Windows\system32\findstr.exe
findstr /irc:".*\\WindowsUpdate\\AU$"
C:\Windows\system32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
C:\Windows\system32\findstr.exe
findstr /irc:" AUOptions .*REG_DWORD .*0x[3-5]$"
C:\Windows\system32\reg.exe
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
C:\Windows\system32\findstr.exe
findstr /irc:" AUOptions .*REG_DWORD .*0x2$"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB971033 KB2876229 KB2882822 KB2902907 KB2922324 KB2952664 KB2976978 KB2976987 KB2977759 KB2990214 KB3012973 KB3014460 KB3015249 KB3021917 KB3022345 KB3035583 KB3044374 KB3046480 KB3050265 KB3050267 KB3064683 KB3065987 KB3065988 KB3068707 KB3068708 KB3072318 KB3074677 KB3075249 KB3075851 KB3075853 KB3080149 KB3080351 KB3081427 KB3081437 KB3081451 KB3081454 KB3081954 KB3083324 KB3083325 KB3083710 KB3083711 KB3090045 KB3095675 KB3112336 KB3112343 KB3123862 KB3124275 KB3134814 KB3135445 KB3138612 KB3138615 KB3139929 KB3140166 KB3140185 KB3146449 KB3150513 KB3173040 KB4493132"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\findstr.exe
findstr /i "gwx.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface ipv6 show route | findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"
C:\Windows\system32\netsh.exe
netsh interface ipv6 show route
C:\Windows\system32\findstr.exe
findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface ipv4 show route | findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$" | findstr /r /v "0\.0\.0\.0"
C:\Windows\system32\netsh.exe
netsh interface ipv4 show route
C:\Windows\system32\findstr.exe
findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$"
C:\Windows\system32\findstr.exe
findstr /r /v "0\.0\.0\.0"
C:\Windows\system32\schtasks.exe
schtasks /query /fo list
C:\Windows\system32\findstr.exe
findstr /vr ".*\\WinSAT$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Agent Activation Runtime\\S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\OneDrive Standalone Update Task-S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AarSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AeLookupSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BcastDVRUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BluetoothUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CaptureService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cbdhsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cldflt$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\ConsentUxUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DcpSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicePickerUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicesFlowUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\diagnosticshub.standardcollector.service$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\diagsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DiagTrack$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DmWapPushService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DoSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DPS$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DsSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\fdPHost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\FDResPub$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\HPTouchpointAnalyticsService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\IEEtwCollectorService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\InstallService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\iphlpsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lanmanserver$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lfsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lmhosts$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\LxpSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MessagingService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MRxDAV$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MRxSMB10$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NcaSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NcbService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NetBT$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\NetBT
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NetMsmqActivator$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\NetMsmqActivator
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\OneSyncSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PcaSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PimIndexMaintenanceSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PrintWorkflowUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PushToInstall$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\RemoteAccess$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\RemoteRegistry$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\RetailDemo$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\sgrmbroker$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\shpamsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\SmsRouter$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\srv$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\srv
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\SSDPSRV$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\StorSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\telemetry$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\TrkWks$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrkWks
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\tunnel$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\tunnel
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\UevAgentService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\UnistoreSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\upnphost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\upnphost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\UserDataSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\VDWFP$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\VisualDiscovery$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\W32Time$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WaaSMedicSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wcncsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WdiServiceHost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WdiSystemHost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WebClient$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WebClient
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wercplsupport$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WerSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WerSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WinHttpAutoProxySvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WinRM$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WinRM
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wisvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wlidsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WMPNetworkSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WpnService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WpnUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\xbgm$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XblAuthManager$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XblGameSave$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XboxGipSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XboxNetApiSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NvTelemetryContainer$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger" | findstr /v "ReadyBoot EventLog- Status" | findstr /i ".*\\WMI\\Autologger\\.*"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger"
C:\Windows\system32\findstr.exe
findstr /v "ReadyBoot EventLog- Status"
C:\Windows\system32\findstr.exe
findstr /i ".*\\WMI\\Autologger\\.*"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:0"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:1"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:2"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:3"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RAC_PS"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\findstr.exe
findstr /a:0f "." "/.\'" nul
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" 2>NUL
C:\Windows\system32\xcopy.exe
xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" nul /z
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB971033"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2876229"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2882822"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2902907"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2922324"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2952664"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2976978"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2976987"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2977759"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB2990214"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3012973"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3014460"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3015249"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3021917"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3022345"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3035583"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3044374"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3046480"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3050265"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3050267"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3064683"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3065987"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3065988"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3068707"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3068708"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3072318"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3074677"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3075249"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3075851"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3075853"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3080149"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3080351"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3081427"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3081437"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3081451"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3081454"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3081954"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3083324"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3083325"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3083710"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3083711"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3090045"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3095675"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3112336"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3112343"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3123862"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3124275"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3134814"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3135445"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3138612"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3138615"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3139929"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3140166"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3140185"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3146449"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3150513"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB3173040"
C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"
C:\Windows\system32\findstr.exe
findstr "KB4493132"
C:\Windows\system32\schtasks.exe
schtasks /query /fo list
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Agent Activation Runtime\\S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\OneDrive Standalone Update Task-S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AarSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AeLookupSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\sc.exe
sc stop AeLookupSvc
C:\Windows\system32\sc.exe
sc pause AeLookupSvc
C:\Windows\system32\sc.exe
sc stop AeLookupSvc
C:\Windows\system32\sc.exe
sc config AeLookupSvc start= disabled
C:\Windows\system32\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo AeLookupSvc "
C:\Windows\system32\findstr.exe
findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BcastDVRUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BluetoothUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CaptureService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cbdhsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cldflt$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\ConsentUxUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DcpSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicePickerUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicesFlowUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\diagnosticshub.standardcollector.service$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\diagsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DiagTrack$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DmWapPushService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DoSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DPS$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DsSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\fdPHost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\FDResPub$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\HPTouchpointAnalyticsService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\IEEtwCollectorService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\sc.exe
sc stop IEEtwCollectorService
C:\Windows\system32\sc.exe
sc pause IEEtwCollectorService
C:\Windows\system32\sc.exe
sc stop IEEtwCollectorService
C:\Windows\system32\sc.exe
sc config IEEtwCollectorService start= disabled
C:\Windows\system32\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo IEEtwCollectorService "
C:\Windows\system32\findstr.exe
findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\InstallService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\iphlpsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lanmanserver$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\sc.exe
sc stop lanmanserver
C:\Windows\system32\sc.exe
sc pause lanmanserver
C:\Windows\system32\sc.exe
sc stop lanmanserver
C:\Windows\system32\sc.exe
sc config lanmanserver start= disabled
C:\Windows\system32\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo lanmanserver "
C:\Windows\system32\findstr.exe
findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lfsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lmhosts$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\LxpSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MessagingService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MRxDAV$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
C:\Windows\system32\sc.exe
sc stop MRxDAV
C:\Windows\system32\sc.exe
sc pause MRxDAV
C:\Windows\system32\sc.exe
sc stop MRxDAV
C:\Windows\system32\sc.exe
sc config MRxDAV start= disabled
C:\Windows\system32\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV /v Start /t REG_DWORD /d 4 /f
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo MRxDAV "
C:\Windows\system32\findstr.exe
findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MRxSMB10$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x3$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[1-2]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x0$"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.2o7.net | udp |
| US | 8.8.8.8:53 | 112.2o7.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1storecatalogrevocation.storequality.microsoft.com | udp |
| US | 8.8.8.8:53 | 1storecatalogrevocation.storequality.microsoft.com | udp |
| US | 8.8.8.8:53 | 1storecatalogrevocation.storequality.microsoft.com | udp |
| US | 8.8.8.8:53 | 1storecatalogrevocation.storequality.microsoft.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2624-0-0x0000000140000000-0x00000001400B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat
| MD5 | 094fe951e317efb61ed1f050cd6d4220 |
| SHA1 | a9ee17b0573d9191da8242f6922075e3c2a021a2 |
| SHA256 | 9ed136a0badeae075bb4298500840a4b9a53365ee11449af0cf25886f25f206b |
| SHA512 | 9a0571f51deced515e3c125ef54bbc30e7d1afb45d8bd2d84525b8cc555c36cad0cefd6cf8c1a8b68e7eaef7d3f23eab133680387ae3cb26d24ca8d40fcd0f58 |
C:\Users\Admin\AppData\Local\Temp\'
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | a81cced386011e782b43c0d3251b560b |
| SHA1 | 6b7d165226b6a6a9c09c114917d6f7b70ed3d52b |
| SHA256 | aa03808fa7d3d597c9532b62ac48a55e5796cc947fedc98becb5e41f15f8e2e9 |
| SHA512 | 215273e2c7f2dee477cf55db257cf91b6c9666ab21d8cb07f273371239bc267b8ef634ca9ea396fe4252351fe64f60eac436faedab1bd8d2d78234cf3fa95608 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 44f81b751ab0e430f91039661badb994 |
| SHA1 | 8c6c0a80f9545745bccb1dc60208e90954c025ec |
| SHA256 | c9061f8a635d7b49893673b6c69d3c400972e45f221f698efde216d476f9387e |
| SHA512 | e5dd78db2bab945bcbb56242579e82ea670033410f48f22c5dd52621db1811be2c7e1dc134ab563355113e437b536a8e5abf931fa700705721a89172a5e1aa8e |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 91418fff4aedc3c32effe9e134de31c7 |
| SHA1 | 9e399d8a14d2848736e3e79d9768f9384ffdfaf0 |
| SHA256 | c146fe1ea70d4f8919324ebf2e05386a081365b006f14fa7d4de18e16b08b7b8 |
| SHA512 | 611f10e011b458a77bf94b5cfb0f7f5a8095df46f2e41db491ae7407264acd059cc728cb1837ab0274c481b6dd7e156f45608450ab707036310acd9fcee00349 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 314facf04e765b8d30c8394a8db979cf |
| SHA1 | 898c853f7367027f3f9755ae28c9ab5d3d7aceda |
| SHA256 | 30a27a15ee3b707af70bcf7e3010c8d95fb2210c5f2ec39b3cbc11030a8d971d |
| SHA512 | ae4350a37227b38c707b12e323f309091fd0f1bcb56a1b912bb2fe7d9ea89982c588beb2dbdde637fcbf9af2cfbe35deb0c461b36ea57d2c9319ac4d765b4d60 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | cf0e6212974313466638c2ee46fb0d0f |
| SHA1 | e59d48fb0dd400f65d62f542b554b0157adb7735 |
| SHA256 | 6f64b34df0d4a3cde3050a75636f79354f5c800e0fbf50d6456a371b63926120 |
| SHA512 | 4e2f23238b889f84b59e0d83b5ef2e3981bbfa4506f114b2e53986eae7cb0a028c59ed6f039428be0dbea67df6de454c611ee4016f3327ce88cab7bd63172395 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 3884887f65745965da0fe42ff68e8e46 |
| SHA1 | 5001b2948c288653e16248f8761b4c9ed8900044 |
| SHA256 | 08b46b6d09e7678b034b1ccf96a366f71d001127554bef9fd97fff7873beda99 |
| SHA512 | 9ed3406b7272eee3a13731f1649e1fd2f3273f472f5dc192e749afd0ac5e4f4f7d46d4447212b880f8730bb3b46bf0c842d3648a6101f1493b7a111b72e09788 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 69fbb26c1d8f4df2a309f9cf88340928 |
| SHA1 | 990792f5db60f5a27fed21303039459dca6cc877 |
| SHA256 | fbfaac26f2d0240a0764407c4848e8989b09855988f63023b4b0faec9970d929 |
| SHA512 | 7c60adc20b4df64f34c1e727d650de14509bd1033e86c22729de4eb958ae92e14cdb920a902f8605f21b23c714b34017454c89db352d0f299b019283388367b3 |
C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp
| MD5 | e78b508639d9713e3cec177c0a9567fa |
| SHA1 | c73bcf9cd8c9300192025333ba26421b1714b6ef |
| SHA256 | 01c6fc41031b1e402226bddc83b677a81d5407787451bebaccc3e3c2bca46f1b |
| SHA512 | a6bdf6d032f59b6cf2a26206e5a495336c54b15f57411b8811e6bc2d989fd2c984e91b64c5d1740aea37e5afd63403c0e38eb2475d91972349260154bb025a4e |
memory/2624-33-0x0000000140000000-0x00000001400B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 4e13bc2227bf31265b8db09593cb3657 |
| SHA1 | 85ad3efe4613e7a37d697b9a72e0bc1bcbda1c57 |
| SHA256 | 037dc57dd95d18bf446bfc091c84df9659c83ec31a2bf28332833a2af902d10c |
| SHA512 | c699d077d94a6b37239dc2da072f62f947bd140d7be9b8ccb3338fe101dfb9aff07b99aa2b924e20df1a99abf4f18089ce1d9d9c16fdd5d0468d1e8f24cdbf15 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 943471f039cb82d7e5a146f2397807c3 |
| SHA1 | fc5d5e2f5bd4caf930ae823a080754b3bc3c8d2e |
| SHA256 | 92eddbb3afb6348f90603b48a65b7e3d300b525107b5d6299b5738d2517d4dff |
| SHA512 | 25dec352d18b6263ffefaadf8f5acb0509a4a437425a8d9af96623696f7d6db5d1f9bc6197ecfffbbfad10c045ab5a6f71ba074d45e9d1388fac40533bbb4b8d |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 266b2aabcd30d0afd83540daae99a22b |
| SHA1 | 6e94ebdc327d1581eab746c27cfe816948c38ab7 |
| SHA256 | 6921ef6e2f742568023da2ec7bb3eb0e0b0d85820c1471a0c95c959dac19c8be |
| SHA512 | 738cf6d936301f1b049e934710002432b6a2689aceaeb3be80b6dbcb41deadf553d83fa7ea8851234e6917e1582da6545aaf22b0e31e0c5baa9144e68bea4051 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 3b2db7343a54976591a5168e04c80a6b |
| SHA1 | ff675e5d08a05a245a95251c5925b6a2e8ef60b3 |
| SHA256 | d8bd301831591a8060a2e48625a783bdbe4e22d380f9f7b2a0fb463e1711b323 |
| SHA512 | db3058f54a57852501005308a6b4cd524e0e780bcf26dcec7a80827bf7120ab21b87bec68bc154e7d7c89be284e2358e41a403cbebff85926b97b98444c5c33d |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 970785299fcc92ab24103af56c64cfd3 |
| SHA1 | 72a8bada2a8aa69634c5b7ac2bb850c8ef3f3d48 |
| SHA256 | 59204b27e2569e9c5a481af3886abe6bc4b8dda6a450102b84612e72a90f151c |
| SHA512 | 93dbf4989db1e7cf5fda8ff02ebd2eacc4ae74142ddd328a103c3034724eea04621777dc742a6a347bad91468b4890675efddc8024f05a35eb9f13dd7c73dc81 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | d848215b6764a9ec4f96ebb68a18ab8e |
| SHA1 | 985534b9ac7ce7f764adb4f2a12d9f384f9e1cce |
| SHA256 | 166b013db8c49ca1db500d14a9b1e157c20a28497a559a9a07b37d91881705b9 |
| SHA512 | 4f1554e89ad0c8a4e68a6484c98bc3fac14f6d71a90280f3d83e0ebea53d96c2738751749c666449c5d137fc70bef317f7d10d8da107b58d6eb26cdef7d4f296 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 8d0147ec334f4b2567029dfce703fcde |
| SHA1 | b1821df7c08d996d0d4fd09165ba2c6e2b2ecc24 |
| SHA256 | a4307857231aad4e1ad6c49fd5cc4e5ecaa593cf671fbe48c3002e4fa604fdf2 |
| SHA512 | 6e3d14675079e0c5869a1879c5a33e8082b2ad90a716fe9f6d66a660a40ee110935c0bbb668b8bf4c190e9fb28582d6c4e9942b04c7a30417323dafe2146aeea |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | c82a9ecd14c067e8a52e2ae041d5790f |
| SHA1 | 9491863a587f01917a6de13235721f769f4ecbf9 |
| SHA256 | db036483e8b88559a05534170f842bf0339f6f258122845568345ec8e4402782 |
| SHA512 | 127ab799d673ad3ec8d2ed7e9fff5758ed241b1be6c3039c499385b35dc9f7db007d92477c905995da69b7f4679ef528352f5ea2978e23bc2f4017dbdbdf4b78 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 599f806a626dda2fa2cbc755e98b5bb4 |
| SHA1 | 30d69b664f0eb40102a1de9dc34e7a2fa33f21e5 |
| SHA256 | 702ef14a4166667a42ee50f5a04298c951ba7464653e04ea04a6610386ac6c33 |
| SHA512 | 318a531b6991ec1bebc21ded11555c3043e6674eb68b11218aa47ac4782463c3e8d58620a5b6d69860a659ac383cd3cc404fc659c85c839ecbba7f30b9fb981e |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 3c0e051cae923ef7acf4d09afdfd0427 |
| SHA1 | a7c7b28c1f749cf9e1514c9d2198b7c08ceb5d05 |
| SHA256 | 823762c92e56396a66bbcac80faa9a3f52f7b05351dbd43369a22dad8c38d010 |
| SHA512 | 0b6192ca85587a765591409900ac45c333f600ed08f4dc1a10993317d6d048cd0beb05981109b738fe5527fd92e5ee2d819d273f55bf0c5c49e594a5966abee4 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 7599a325cf1a36c246a529fcdc275997 |
| SHA1 | 1d833c66beba196c98c52e66729d558d04a2dd49 |
| SHA256 | 44242cb16a6ec0f8d095269b2b996c9653e186db83279bf1ace7c8c6064c23ca |
| SHA512 | 14b0b24f90a3cc32ea2a6793a0958b2fb8a2149f4100d121bec07f7beb7a84f40db74fd7e4c09b2704d96f98d1d7203b2708930e4c2e2ca5d6604a6b8cc61aae |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 9e02df7d26d8ae7e4ee4ea7d2964ce51 |
| SHA1 | e29683d5bdabf7b5d4c347ab876fd25aac8bd63d |
| SHA256 | b9e90e86fc813ccc451903725367bb124e688d1a12a9d742ec74eec09dc818e4 |
| SHA512 | 1fbfc402fca8a8a364ea13548f072db88a5b50212a9e413bbfe40d2947484d78f71b618d1916eab7217037b490ac8812b430d39b19e030885dd39e605d6f53cc |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 237c381ff62b8ad803b2e46b84bdd865 |
| SHA1 | 6726124b70a147d2212f970c56132c433c1cbb4e |
| SHA256 | aecdb30ec71648ba9c362bc9534cd72f99358387bc2ca2e6b78cd5353d61cc63 |
| SHA512 | e6c0b0e484b21c98b0c744a88621310d7e66d75a757ff1732277ed833889bfc507e6026d41cad379583c161ef82facf55f286f85c52d4bb5316efd768969a7bd |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | b480255996df220923cdfe9fa128f1f2 |
| SHA1 | 4ba834d3670d39570b9a183d6f1f4ea7ef8fa0bc |
| SHA256 | f12bc136869e8891ed61eac10fdf52074f9cb3ac3c56a897ab141a36ad5526f8 |
| SHA512 | 12b6e0ae104849c93b9844eff74256327ec51aaedcfe9fc5ecc88f9b15cd632e691c5f4ccf88d8642c63d537af06bab998e57d0270a9457d97ebd912fc3b166d |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 0efa62e28f946112649b917f19e96c90 |
| SHA1 | be33e7fb85194a025460bf9dabd7236e7935e7ba |
| SHA256 | 6ac5c33ccc6b9db0424c3c38acda4ee0aacf21155aef111857f4889080c93400 |
| SHA512 | 6497b3aea9d35fbbbf87f8253e61442e590f3a432ed53e166aa3d14c9d54afd73da0b1b44850b6f6e00674e427b818dafaa1c463057be0f5baba0d9edcf962d9 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 9e5bc90abc2d668ec0edeafd847a367c |
| SHA1 | f12743d1f5407546eb70c162d53d6a05870b680f |
| SHA256 | ea94e743be9a8e6c294bccf4f3f7bd0a0f459aecb6d272098e91eab3fade3a23 |
| SHA512 | 17f5ad246b0d93e7f3d51227797ac6f0a380799a688c8dd1ab233d82938d1b21c86a2a256e42e6814d3efed24252101f4082c056bd17366a1a70aad7aa090649 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | e75b24a3f3a9a5e65ee890cc95be6949 |
| SHA1 | 89b90b0251baa77a186d00ef3e8ffc76edd65aba |
| SHA256 | 5b0e23aef6a89ee46f0b96fc8a820dc9feca59ff3c2a49b1979f692796a4c9d7 |
| SHA512 | 3887322d4f485379980c4130d3109824fe54558e3836bf68fe01d1842b5cc5acda726b8fc4a70d7f2df5e00ba329061eb2e606bd3a2d956974675f873777d0ff |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 8da145462f785db926f4289d0a9c2fdb |
| SHA1 | 32c2bd035bdc95f1d3c7ed4850545004653eb1ed |
| SHA256 | 2556082038f3a5bd5752b774971e7a5744a5f7a17452277ef46b215c73de2132 |
| SHA512 | 958fc6e754036bba5cdee1638639586ccde6b3adc6deadc5c8ac1cf10e8a06db9d3c44d13957eab0ca2d31ba70adfdac5e6be6616ebc1d109a91b27700044caa |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 28b4ffd6efb374469609c1d8fba31c4d |
| SHA1 | 6e70d8ce6a3d22c3f8e1ed7aa5b70556712331f8 |
| SHA256 | b0eacbaca80bce3d73d60c5ee14e219573474fcf9c94a269e61746b09f6e1fba |
| SHA512 | 88ff8492390e577770f1a47d773c981b2f662962d37f6ad43eec40571442dd0c9300f88af51e5dc91fa62274e8498c4d2b8106ef910af7eb8299fd69268dac0f |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 1e930993fa6581249e4c13726d1cb09d |
| SHA1 | f34f88fddcea971d4ee8cfd27b18f62fd11f5df2 |
| SHA256 | cd8746fce7c39374e2612724cb78ba4d6d8bf9a326d0804f464516039c7a482f |
| SHA512 | b918c8360e8d5b998e8e92ec2e075dab749c0faabb3a652d3c92338985f01912664d0828b9cb061786b32ce875d1bd718baccdf32c7553ccda15dbdc3216883a |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | f59c8225d45fea0c2f3ac81076972e64 |
| SHA1 | eab8e70c711290d71e86aad0de22bbc470f0272c |
| SHA256 | 969df9f0b907b29ea0c707e677b3cfccc845eeb9c79a0f876ccc3c0a19f49aa0 |
| SHA512 | d3783e7f962b14af39274a5fe3dfdf0b9c05dfd2c9142686c4b68af6dc6d6c558ef39996ed047696224294e09b2ef9fe8916d9afe1ce73ea85572f6d4f4ef67a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-18 14:57
Reported
2024-03-18 15:02
Platform
win10v2004-20240226-en
Max time kernel
243s
Max time network
248s
Command Line
Signatures
Turns off Windows Defender SpyNet reporting
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps | C:\Windows\system32\attrib.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Windows logging functionality
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CortanaStartupId | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CortanaStartupId\State = "1" | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt\shell | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows | N/A | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\blackbird.exe
"C:\Users\Admin\AppData\Local\Temp\blackbird.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat C:\Users\Admin\AppData\Local\Temp\blackbird.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;; "
C:\Windows\system32\find.exe
find /C /I "\system32;"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;; "
C:\Windows\system32\find.exe
find /C /I "\wbem;"
C:\Windows\system32\reg.exe
reg add HKLM /F
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\shutdown.exe
shutdown /a
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /node:"ETDALPOV" COMPUTERSYSTEM GET USERNAME | findstr /i "ETDALPOV"
C:\Windows\System32\Wbem\WMIC.exe
wmic /node:"ETDALPOV" COMPUTERSYSTEM GET USERNAME
C:\Windows\system32\findstr.exe
findstr /i "ETDALPOV"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\blackbirds_temp "
C:\Windows\system32\findstr.exe
findstr /i ".*\\blackbirds_temp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps; "
C:\Windows\system32\findstr.exe
findstr /i "powershell"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mode con|findstr /n "^"|findstr /l /b /c:"5:"
C:\Windows\system32\mode.com
mode con
C:\Windows\system32\findstr.exe
findstr /n "^"
C:\Windows\system32\findstr.exe
findstr /l /b /c:"5:"
C:\Windows\system32\reg.exe
reg query "HKCU\Control Panel\Desktop"
C:\Windows\system32\findstr.exe
findstr /ir "\<PreferredUILanguages.*REG_MULTI_SZ "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage" | findstr /ir "\<InstallLanguage.*REG_SZ "
C:\Windows\system32\reg.exe
reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage"
C:\Windows\system32\findstr.exe
findstr /ir "\<InstallLanguage.*REG_SZ "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_useraccount where name='Admin' get sid"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_useraccount where name='Admin' get sid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files (x86)\" "
C:\Windows\system32\findstr.exe
findstr /irc:"NVIDIA Corporation"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:60 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface ipv6 show route | findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"
C:\Windows\system32\netsh.exe
netsh interface ipv6 show route
C:\Windows\system32\findstr.exe
findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface ipv4 show route | findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$" | findstr /r /v "0\.0\.0\.0"
C:\Windows\system32\netsh.exe
netsh interface ipv4 show route
C:\Windows\system32\findstr.exe
findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$"
C:\Windows\system32\findstr.exe
findstr /r /v "0\.0\.0\.0"
C:\Windows\system32\schtasks.exe
schtasks /query /fo list
C:\Windows\system32\findstr.exe
findstr /vr ".*\\UpdateOrchestrator\\Schedule.*Scan$ .*\\USO_Broker_Display$ .*\\USO_UxBroker$ .*\\WinSAT$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Agent Activation Runtime\\S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\OneDrive Standalone Update Task-S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:" \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AarSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\AarSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AeLookupSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BcastDVRUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BcastDVRUserService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BluetoothUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\BluetoothUserService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CaptureService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CaptureService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cbdhsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cldflt$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\cldflt
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\ConsentUxUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\ConsentUxUserSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DcpSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationBrokerSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicePickerUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DevicePickerUserSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicesFlowUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\diagnosticshub.standardcollector.service$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\diagsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\diagsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DiagTrack$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DmWapPushService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DmWapPushService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DoSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DPS$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DsSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\DsSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\fdPHost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\FDResPub$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\HPTouchpointAnalyticsService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\IEEtwCollectorService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\InstallService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\InstallService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\iphlpsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lanmanserver$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lfsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lfsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\lmhosts$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\LxpSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\LxpSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MessagingService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MessagingService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MRxDAV$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\MRxSMB10$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NcaSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\NcaSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NcbService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\NcbService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NetBT$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\NetBT
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NetMsmqActivator$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\OneSyncSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PcaSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PimIndexMaintenanceSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PrintWorkflowUserSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\PushToInstall$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\PushToInstall
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\RemoteAccess$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\RemoteRegistry$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\RetailDemo$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\RetailDemo
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\sgrmbroker$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\sgrmbroker
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\shpamsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\shpamsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\SmsRouter$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\srv$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\SSDPSRV$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\StorSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\StorSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\telemetry$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\telemetry
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\TrkWks$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\TrkWks
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\tunnel$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\tunnel
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\UevAgentService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UevAgentService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\UnistoreSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\upnphost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\upnphost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\UserDataSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\VDWFP$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\VisualDiscovery$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\W32Time$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WaaSMedicSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wcncsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WdiServiceHost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WdiSystemHost$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WebClient$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WebClient
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wercplsupport$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WerSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WerSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WinHttpAutoProxySvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WinRM$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WinRM
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wisvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wisvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\wlidsvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WMPNetworkSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WpnService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WpnService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\WpnUserService$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\xbgm$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XblAuthManager$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XblGameSave$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XboxGipSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\XboxGipSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\XboxNetApiSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc
C:\Windows\system32\findstr.exe
findstr /irc:" start .*REG_DWORD .*0x[0-3]$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\NvTelemetryContainer$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger" | findstr /v "ReadyBoot Defender EventLog- Status" | findstr /i ".*\\WMI\\Autologger\\.*"
C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger"
C:\Windows\system32\findstr.exe
findstr /v "ReadyBoot Defender EventLog- Status"
C:\Windows\system32\findstr.exe
findstr /i ".*\\WMI\\Autologger\\.*"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Cellcore"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\CloudExperienceHostOobe"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DataMarket"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\HolographicDevice"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Mellanox-Kernel"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-AssignedAccess-Trace"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NetCore"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RadioMgr"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatform"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatformTel"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SpoolerLogger"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TileStore"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSession"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSessionRepro"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiSession"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WinPhoneCritical"
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x1$"
C:\Windows\system32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo
C:\Windows\system32\findstr.exe
findstr /irc:" Id .*REG_SZ .*null$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\findstr.exe
findstr /a:0f "." "/.\'" nul
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x4$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
C:\Windows\system32\findstr.exe
findstr /irc:" Start .*REG_DWORD .*0x[1-3]$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:02 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:3f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
C:\Windows\system32\subst.exe
subst ': "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\system32\findstr.exe
findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" 2>NUL
C:\Windows\system32\xcopy.exe
xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" nul /z
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\upfc.exe"
C:\Windows\system32\findstr.exe
findstr /irc:".*System.*(RX)"
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\upfc.exe" /a
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\upfc.exe" /grant:r system:r /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\upfc.exe" /grant:r "nt service\trustedinstaller:r" /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\upfc.exe" /grant:r *S-1-5-32-544:f /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\upfc.exe" /setowner "nt service\trustedinstaller" /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\upfc.exe" /grant:r *S-1-5-32-544:r /C /Q
C:\Windows\system32\attrib.exe
attrib -s -h -r /S /D "C:\Program Files\WindowsApps"
C:\Windows\system32\attrib.exe
attrib -s -h -r /S /D "C:\Users\Admin\AppData\Local\Packages"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps"
C:\Windows\system32\findstr.exe
findstr /irc:"ETDALPOV.*Admin.*(F)"
C:\Windows\system32\attrib.exe
attrib -h /D "C:\Program Files\WindowsApps"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant:r *S-1-5-32-544:f /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Packages"
C:\Windows\system32\findstr.exe
findstr /irc:"ETDALPOV.*Admin.*(F)"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /a:d /b "C:\Users\Admin\AppData\Local\Packages" | findstr /i ".*Advertising.*" | findstr /iv ".*BlackbirdBackup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir /a:d /b "C:\Users\Admin\AppData\Local\Packages" "
C:\Windows\system32\findstr.exe
findstr /i ".*Advertising.*"
C:\Windows\system32\findstr.exe
findstr /iv ".*BlackbirdBackup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /a:d /b "C:\Program Files\WindowsApps" | findstr /i ".*Advertising.*" | findstr /iv ".*BlackbirdBackup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir /a:d /b "C:\Program Files\WindowsApps" "
C:\Windows\system32\findstr.exe
findstr /i ".*Advertising.*"
C:\Windows\system32\findstr.exe
findstr /iv ".*BlackbirdBackup"
C:\Windows\system32\attrib.exe
attrib -h /D /S "C:\Program Files\WindowsApps"
C:\Windows\system32\takeown.exe
takeown /a /f "C:\Program Files\WindowsApps"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant:r *S-1-5-32-544:f /C /Q
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" | findstr /i ".*\.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" "
C:\Windows\system32\findstr.exe
findstr /i ".*\.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /a /r /d y
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /grant:r *S-1-5-32-544:f /T /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove:g SYSTEM /inheritance:r /deny "SYSTEM:(OI)(CI)(IO)(F)" /T /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove TrustedInstaller /T /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove "ALL RESTRICTED APPLICATION PACKAGES" /T /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove "ALL APPLICATION PACKAGES" /T /C /Q
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove "APPLICATION PACKAGE AUTHORITY" /T /C /Q
C:\Windows\system32\taskkill.exe
taskkill /F /IM searchUI.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM browser_broker.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM RuntimeBroker.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM RemindersServer.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM backgroundTaskHost.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM MicrosoftEdge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM MicrosoftEdgeCP.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM MicrosoftEdgeSH.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM MicrosoftEdgeBCHost.exe
C:\Windows\system32\schtasks.exe
schtasks /query /fo list
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Agent Activation Runtime\\S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\schtasks.exe
schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies"
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Disable-ScheduledTask -TaskName 'Report policies' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\schtasks.exe
schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Disable-ScheduledTask -TaskName 'Schedule Scan' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\schtasks.exe
schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Disable-ScheduledTask -TaskName 'Schedule Scan Static Task' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\schtasks.exe
schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker"
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Disable-ScheduledTask -TaskName 'USO_UxBroker' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\schtasks.exe
schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"
C:\Windows\system32\findstr.exe
findstr /irc:" Disabled .*$"
C:\Windows\system32\schtasks.exe
schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Disable-ScheduledTask -TaskName 'UpdateModelTask' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\OneDrive Standalone Update Task-S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\findstr.exe
findstr /irc:".*\:.* \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AarSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo AarSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" AarSvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" AarSvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\AeLookupSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BcastDVRUserService$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo BcastDVRUserService "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" BcastDVRUserService_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" BcastDVRUserService_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\BluetoothUserService$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo BluetoothUserService "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" BluetoothUserService_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" BluetoothUserService_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CaptureService$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo CaptureService "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" CaptureService_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" CaptureService_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cbdhsvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cbdhsvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" cbdhsvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" cbdhsvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo CDPSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CDPUserSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo CDPUserSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" CDPUserSvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" CDPUserSvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\cldflt$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cldflt "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\ConsentUxUserSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo ConsentUxUserSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" ConsentUxUserSvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" ConsentUxUserSvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo CredentialEnrollmentManagerUserSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" CredentialEnrollmentManagerUserSvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" CredentialEnrollmentManagerUserSvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DcpSvc$"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DeviceAssociationBrokerSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" DeviceAssociationBrokerSvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" DeviceAssociationBrokerSvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DeviceAssociationService$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DeviceAssociationService "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicePickerUserSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DevicePickerUserSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" DevicePickerUserSvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" DevicePickerUserSvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
C:\Windows\system32\findstr.exe
findstr /irc:".*\\services\\DevicesFlowUserSvc$"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DevicesFlowUserSvc "
C:\Windows\system32\findstr.exe
findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" DevicesFlowUserSvc_.*"
C:\Windows\system32\sc.exe
sc queryex state= all
C:\Windows\system32\findstr.exe
findstr /irc:" DevicesFlowUserSvc_.*"
C:\Windows\system32\reg.exe
reg query HKLM\SYSTEM\CurrentControlSet\Services
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
Files
memory/232-0-0x0000000140000000-0x00000001400B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat
| MD5 | 094fe951e317efb61ed1f050cd6d4220 |
| SHA1 | a9ee17b0573d9191da8242f6922075e3c2a021a2 |
| SHA256 | 9ed136a0badeae075bb4298500840a4b9a53365ee11449af0cf25886f25f206b |
| SHA512 | 9a0571f51deced515e3c125ef54bbc30e7d1afb45d8bd2d84525b8cc555c36cad0cefd6cf8c1a8b68e7eaef7d3f23eab133680387ae3cb26d24ca8d40fcd0f58 |
C:\Users\Admin\AppData\Local\Temp\'
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | a81cced386011e782b43c0d3251b560b |
| SHA1 | 6b7d165226b6a6a9c09c114917d6f7b70ed3d52b |
| SHA256 | aa03808fa7d3d597c9532b62ac48a55e5796cc947fedc98becb5e41f15f8e2e9 |
| SHA512 | 215273e2c7f2dee477cf55db257cf91b6c9666ab21d8cb07f273371239bc267b8ef634ca9ea396fe4252351fe64f60eac436faedab1bd8d2d78234cf3fa95608 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 44f81b751ab0e430f91039661badb994 |
| SHA1 | 8c6c0a80f9545745bccb1dc60208e90954c025ec |
| SHA256 | c9061f8a635d7b49893673b6c69d3c400972e45f221f698efde216d476f9387e |
| SHA512 | e5dd78db2bab945bcbb56242579e82ea670033410f48f22c5dd52621db1811be2c7e1dc134ab563355113e437b536a8e5abf931fa700705721a89172a5e1aa8e |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 91418fff4aedc3c32effe9e134de31c7 |
| SHA1 | 9e399d8a14d2848736e3e79d9768f9384ffdfaf0 |
| SHA256 | c146fe1ea70d4f8919324ebf2e05386a081365b006f14fa7d4de18e16b08b7b8 |
| SHA512 | 611f10e011b458a77bf94b5cfb0f7f5a8095df46f2e41db491ae7407264acd059cc728cb1837ab0274c481b6dd7e156f45608450ab707036310acd9fcee00349 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 314facf04e765b8d30c8394a8db979cf |
| SHA1 | 898c853f7367027f3f9755ae28c9ab5d3d7aceda |
| SHA256 | 30a27a15ee3b707af70bcf7e3010c8d95fb2210c5f2ec39b3cbc11030a8d971d |
| SHA512 | ae4350a37227b38c707b12e323f309091fd0f1bcb56a1b912bb2fe7d9ea89982c588beb2dbdde637fcbf9af2cfbe35deb0c461b36ea57d2c9319ac4d765b4d60 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | cf0e6212974313466638c2ee46fb0d0f |
| SHA1 | e59d48fb0dd400f65d62f542b554b0157adb7735 |
| SHA256 | 6f64b34df0d4a3cde3050a75636f79354f5c800e0fbf50d6456a371b63926120 |
| SHA512 | 4e2f23238b889f84b59e0d83b5ef2e3981bbfa4506f114b2e53986eae7cb0a028c59ed6f039428be0dbea67df6de454c611ee4016f3327ce88cab7bd63172395 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 3884887f65745965da0fe42ff68e8e46 |
| SHA1 | 5001b2948c288653e16248f8761b4c9ed8900044 |
| SHA256 | 08b46b6d09e7678b034b1ccf96a366f71d001127554bef9fd97fff7873beda99 |
| SHA512 | 9ed3406b7272eee3a13731f1649e1fd2f3273f472f5dc192e749afd0ac5e4f4f7d46d4447212b880f8730bb3b46bf0c842d3648a6101f1493b7a111b72e09788 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 69fbb26c1d8f4df2a309f9cf88340928 |
| SHA1 | 990792f5db60f5a27fed21303039459dca6cc877 |
| SHA256 | fbfaac26f2d0240a0764407c4848e8989b09855988f63023b4b0faec9970d929 |
| SHA512 | 7c60adc20b4df64f34c1e727d650de14509bd1033e86c22729de4eb958ae92e14cdb920a902f8605f21b23c714b34017454c89db352d0f299b019283388367b3 |
C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp
| MD5 | 54acdd4639cb80d35c61bfecfa767d70 |
| SHA1 | 14aeed34ef32cb585cbc96eb809c5b4fd7312b87 |
| SHA256 | c6bb31338d16a8fd3a09ec41fb010f67a75999ace6981a9d7965cab15d3f9a44 |
| SHA512 | 64c648b6ffb942632a4d39219a8e2861b0b2f8f6e817e3a0ac65259997c777c740c67cd00db4389fbc5e50fedc52fa4488b2c989456a5e7112c7eea7167be7fb |
memory/232-32-0x0000000140000000-0x00000001400B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 4e13bc2227bf31265b8db09593cb3657 |
| SHA1 | 85ad3efe4613e7a37d697b9a72e0bc1bcbda1c57 |
| SHA256 | 037dc57dd95d18bf446bfc091c84df9659c83ec31a2bf28332833a2af902d10c |
| SHA512 | c699d077d94a6b37239dc2da072f62f947bd140d7be9b8ccb3338fe101dfb9aff07b99aa2b924e20df1a99abf4f18089ce1d9d9c16fdd5d0468d1e8f24cdbf15 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 943471f039cb82d7e5a146f2397807c3 |
| SHA1 | fc5d5e2f5bd4caf930ae823a080754b3bc3c8d2e |
| SHA256 | 92eddbb3afb6348f90603b48a65b7e3d300b525107b5d6299b5738d2517d4dff |
| SHA512 | 25dec352d18b6263ffefaadf8f5acb0509a4a437425a8d9af96623696f7d6db5d1f9bc6197ecfffbbfad10c045ab5a6f71ba074d45e9d1388fac40533bbb4b8d |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 266b2aabcd30d0afd83540daae99a22b |
| SHA1 | 6e94ebdc327d1581eab746c27cfe816948c38ab7 |
| SHA256 | 6921ef6e2f742568023da2ec7bb3eb0e0b0d85820c1471a0c95c959dac19c8be |
| SHA512 | 738cf6d936301f1b049e934710002432b6a2689aceaeb3be80b6dbcb41deadf553d83fa7ea8851234e6917e1582da6545aaf22b0e31e0c5baa9144e68bea4051 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 970785299fcc92ab24103af56c64cfd3 |
| SHA1 | 72a8bada2a8aa69634c5b7ac2bb850c8ef3f3d48 |
| SHA256 | 59204b27e2569e9c5a481af3886abe6bc4b8dda6a450102b84612e72a90f151c |
| SHA512 | 93dbf4989db1e7cf5fda8ff02ebd2eacc4ae74142ddd328a103c3034724eea04621777dc742a6a347bad91468b4890675efddc8024f05a35eb9f13dd7c73dc81 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | f8263a827d2cc8ecee893b3051f0f0d4 |
| SHA1 | 927bb7b2dfa41097a016aedb3c8741373f439787 |
| SHA256 | 1c5ac8e25fd1e5848d752fde2b7e5b1a418b1e896c7324006025942734a3052f |
| SHA512 | d18abbd486ef475cb71e3eb483992d88324a495cea6e7eefbc95d940ec46dfe108d40c5bc0b92052c1fd2d0a873648571d490cad8994506dc5369a8f196373cc |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 8d0147ec334f4b2567029dfce703fcde |
| SHA1 | b1821df7c08d996d0d4fd09165ba2c6e2b2ecc24 |
| SHA256 | a4307857231aad4e1ad6c49fd5cc4e5ecaa593cf671fbe48c3002e4fa604fdf2 |
| SHA512 | 6e3d14675079e0c5869a1879c5a33e8082b2ad90a716fe9f6d66a660a40ee110935c0bbb668b8bf4c190e9fb28582d6c4e9942b04c7a30417323dafe2146aeea |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | c82a9ecd14c067e8a52e2ae041d5790f |
| SHA1 | 9491863a587f01917a6de13235721f769f4ecbf9 |
| SHA256 | db036483e8b88559a05534170f842bf0339f6f258122845568345ec8e4402782 |
| SHA512 | 127ab799d673ad3ec8d2ed7e9fff5758ed241b1be6c3039c499385b35dc9f7db007d92477c905995da69b7f4679ef528352f5ea2978e23bc2f4017dbdbdf4b78 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 599f806a626dda2fa2cbc755e98b5bb4 |
| SHA1 | 30d69b664f0eb40102a1de9dc34e7a2fa33f21e5 |
| SHA256 | 702ef14a4166667a42ee50f5a04298c951ba7464653e04ea04a6610386ac6c33 |
| SHA512 | 318a531b6991ec1bebc21ded11555c3043e6674eb68b11218aa47ac4782463c3e8d58620a5b6d69860a659ac383cd3cc404fc659c85c839ecbba7f30b9fb981e |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 0efa62e28f946112649b917f19e96c90 |
| SHA1 | be33e7fb85194a025460bf9dabd7236e7935e7ba |
| SHA256 | 6ac5c33ccc6b9db0424c3c38acda4ee0aacf21155aef111857f4889080c93400 |
| SHA512 | 6497b3aea9d35fbbbf87f8253e61442e590f3a432ed53e166aa3d14c9d54afd73da0b1b44850b6f6e00674e427b818dafaa1c463057be0f5baba0d9edcf962d9 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 9e5bc90abc2d668ec0edeafd847a367c |
| SHA1 | f12743d1f5407546eb70c162d53d6a05870b680f |
| SHA256 | ea94e743be9a8e6c294bccf4f3f7bd0a0f459aecb6d272098e91eab3fade3a23 |
| SHA512 | 17f5ad246b0d93e7f3d51227797ac6f0a380799a688c8dd1ab233d82938d1b21c86a2a256e42e6814d3efed24252101f4082c056bd17366a1a70aad7aa090649 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | e75b24a3f3a9a5e65ee890cc95be6949 |
| SHA1 | 89b90b0251baa77a186d00ef3e8ffc76edd65aba |
| SHA256 | 5b0e23aef6a89ee46f0b96fc8a820dc9feca59ff3c2a49b1979f692796a4c9d7 |
| SHA512 | 3887322d4f485379980c4130d3109824fe54558e3836bf68fe01d1842b5cc5acda726b8fc4a70d7f2df5e00ba329061eb2e606bd3a2d956974675f873777d0ff |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 3c0e051cae923ef7acf4d09afdfd0427 |
| SHA1 | a7c7b28c1f749cf9e1514c9d2198b7c08ceb5d05 |
| SHA256 | 823762c92e56396a66bbcac80faa9a3f52f7b05351dbd43369a22dad8c38d010 |
| SHA512 | 0b6192ca85587a765591409900ac45c333f600ed08f4dc1a10993317d6d048cd0beb05981109b738fe5527fd92e5ee2d819d273f55bf0c5c49e594a5966abee4 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 630ce4b131a85c9367238355707b2fa3 |
| SHA1 | fe5655144f2faa2f4e2c2595da99bfa9d169e63b |
| SHA256 | 6c3bbbc37037c45f6cfd5100f7ce860cfed590bae6ed2a844d353fdfaa7c329c |
| SHA512 | 8a25a5489cd6a0c203d495f928271221c1e2cfba25cff7b5698d8d071894e2be9c67a2e9fbac1c95ecb6e194c54e603ccc00d4477fffeb0f0109cba3a4d0d617 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 8da145462f785db926f4289d0a9c2fdb |
| SHA1 | 32c2bd035bdc95f1d3c7ed4850545004653eb1ed |
| SHA256 | 2556082038f3a5bd5752b774971e7a5744a5f7a17452277ef46b215c73de2132 |
| SHA512 | 958fc6e754036bba5cdee1638639586ccde6b3adc6deadc5c8ac1cf10e8a06db9d3c44d13957eab0ca2d31ba70adfdac5e6be6616ebc1d109a91b27700044caa |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 28b4ffd6efb374469609c1d8fba31c4d |
| SHA1 | 6e70d8ce6a3d22c3f8e1ed7aa5b70556712331f8 |
| SHA256 | b0eacbaca80bce3d73d60c5ee14e219573474fcf9c94a269e61746b09f6e1fba |
| SHA512 | 88ff8492390e577770f1a47d773c981b2f662962d37f6ad43eec40571442dd0c9300f88af51e5dc91fa62274e8498c4d2b8106ef910af7eb8299fd69268dac0f |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 1e930993fa6581249e4c13726d1cb09d |
| SHA1 | f34f88fddcea971d4ee8cfd27b18f62fd11f5df2 |
| SHA256 | cd8746fce7c39374e2612724cb78ba4d6d8bf9a326d0804f464516039c7a482f |
| SHA512 | b918c8360e8d5b998e8e92ec2e075dab749c0faabb3a652d3c92338985f01912664d0828b9cb061786b32ce875d1bd718baccdf32c7553ccda15dbdc3216883a |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | f59c8225d45fea0c2f3ac81076972e64 |
| SHA1 | eab8e70c711290d71e86aad0de22bbc470f0272c |
| SHA256 | 969df9f0b907b29ea0c707e677b3cfccc845eeb9c79a0f876ccc3c0a19f49aa0 |
| SHA512 | d3783e7f962b14af39274a5fe3dfdf0b9c05dfd2c9142686c4b68af6dc6d6c558ef39996ed047696224294e09b2ef9fe8916d9afe1ce73ea85572f6d4f4ef67a |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 36e95110bfe5c7e3f094ae3f15c5a522 |
| SHA1 | 79f4c8882af66200d903286174545c0012b55910 |
| SHA256 | 150ae6592f59877a6e0aaac15db93d01bc6b77e026f2d58e0a5cc2b522319b96 |
| SHA512 | a16962f2581cf3c36a25b37e6811b2ffc11dc18e9dd274aff65bceaa10f19c4351370dc563f0cfde65a8918d24493eaac26cdae7f3fdd55785e7123803dc9af7 |
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp
| MD5 | 9e699fe700519772efa1b6f45b23e10e |
| SHA1 | c4a81031ca2fd39e523e9d6aeb8d3ab712d82745 |
| SHA256 | fecce82f4a5d654559b54faf3ef53883afe14c260b6ee7170a06eeaad7d30abf |
| SHA512 | 8e9c857eef024c1f13cc5a3d37bb3c760279b7f3e7e69654ac8af02da3c265c102f2675adf88c85ce9815232e5dbb5c39f2e2b477769a94bd58934d1fd3c5ca3 |
memory/2556-145-0x0000026E6D870000-0x0000026E6D892000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ceb1wvbq.kqp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2556-155-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/2556-156-0x0000026E6D730000-0x0000026E6D740000-memory.dmp
memory/2556-157-0x0000026E6D730000-0x0000026E6D740000-memory.dmp
memory/2556-158-0x0000026E6D730000-0x0000026E6D740000-memory.dmp
memory/2556-161-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/1980-162-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/1980-163-0x000001EBFA5E0000-0x000001EBFA5F0000-memory.dmp
memory/1980-173-0x000001EBFA5E0000-0x000001EBFA5F0000-memory.dmp
memory/1980-175-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/4364-185-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/4364-187-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp
memory/4364-186-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp
memory/4364-188-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp
memory/4364-190-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp
memory/4364-192-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/2036-198-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/2036-200-0x000002E5BBAD0000-0x000002E5BBAE0000-memory.dmp
memory/2036-204-0x000002E5BBAD0000-0x000002E5BBAE0000-memory.dmp
memory/2036-205-0x000002E5BBAD0000-0x000002E5BBAE0000-memory.dmp
memory/2036-207-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/3904-217-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp
memory/3904-218-0x000001946F620000-0x000001946F630000-memory.dmp
memory/3904-219-0x000001946F620000-0x000001946F630000-memory.dmp
memory/3904-220-0x000001946F620000-0x000001946F630000-memory.dmp
memory/3904-222-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp