Malware Analysis Report

2024-11-16 12:23

Sample ID 240318-sbv79aca7t
Target blackbird.exe
SHA256 1f75a4165bfd37b5c497d771ddc81c06daf4303f23973dd957ce3fcb52fd6966
Tags
upx evasion discovery exploit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f75a4165bfd37b5c497d771ddc81c06daf4303f23973dd957ce3fcb52fd6966

Threat Level: Known bad

The file blackbird.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion discovery exploit

Turns off Windows Defender SpyNet reporting

Stops running service(s)

Possible privilege escalation attempt

Modifies file permissions

UPX packed file

Drops file in Program Files directory

Launches sc.exe

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Kills process with taskkill

Enumerates processes with tasklist

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Gathers network information

Delays execution with timeout.exe

Disables Windows logging functionality

Uses Task Scheduler COM API

Modifies registry class

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 14:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 14:57

Reported

2024-03-18 15:02

Platform

win7-20240221-en

Max time kernel

110s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\blackbird.exe"

Signatures

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Windows logging functionality

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A N/A N/A

Gathers network information

Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\find.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\find.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\chcp.com N/A
N/A N/A C:\Windows\system32\shutdown.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\mode.com N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\subst.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\subst.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\subst.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\subst.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\subst.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\subst.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\subst.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\findstr.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\blackbird.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\blackbird.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\blackbird.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2584 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2584 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2584 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2584 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2584 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2584 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2584 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2584 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2584 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2584 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2584 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2584 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2564 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2564 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2564 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2564 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2564 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2564 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2564 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2564 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2564 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2584 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2584 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\blackbird.exe

"C:\Users\Admin\AppData\Local\Temp\blackbird.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat C:\Users\Admin\AppData\Local\Temp\blackbird.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\; "

C:\Windows\system32\find.exe

find /C /I "\system32;"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\; "

C:\Windows\system32\find.exe

find /C /I "\wbem;"

C:\Windows\system32\reg.exe

reg add HKLM /F

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\shutdown.exe

shutdown /a

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic /node:"IKJSPGIM" COMPUTERSYSTEM GET USERNAME | findstr /i "IKJSPGIM"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:"IKJSPGIM" COMPUTERSYSTEM GET USERNAME

C:\Windows\system32\findstr.exe

findstr /i "IKJSPGIM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\blackbirds_temp "

C:\Windows\system32\findstr.exe

findstr /i ".*\\blackbirds_temp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ "

C:\Windows\system32\findstr.exe

findstr /i "powershell"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode con|findstr /n "^"|findstr /l /b /c:"5:"

C:\Windows\system32\mode.com

mode con

C:\Windows\system32\findstr.exe

findstr /n "^"

C:\Windows\system32\findstr.exe

findstr /l /b /c:"5:"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Desktop"

C:\Windows\system32\findstr.exe

findstr /ir "\<PreferredUILanguages.*REG_MULTI_SZ "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage" | findstr /ir "\<InstallLanguage.*REG_SZ "

C:\Windows\system32\reg.exe

reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage"

C:\Windows\system32\findstr.exe

findstr /ir "\<InstallLanguage.*REG_SZ "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_useraccount where name='Admin' get sid"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_useraccount where name='Admin' get sid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files (x86)\" "

C:\Windows\system32\findstr.exe

findstr /irc:"NVIDIA Corporation"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:60 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows

C:\Windows\system32\findstr.exe

findstr /irc:".*\\Windows\\WindowsUpdate$"

C:\Windows\system32\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

C:\Windows\system32\findstr.exe

findstr /irc:".*\\WindowsUpdate\\AU$"

C:\Windows\system32\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

C:\Windows\system32\findstr.exe

findstr /irc:" AUOptions .*REG_DWORD .*0x[3-5]$"

C:\Windows\system32\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

C:\Windows\system32\findstr.exe

findstr /irc:" AUOptions .*REG_DWORD .*0x2$"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB971033 KB2876229 KB2882822 KB2902907 KB2922324 KB2952664 KB2976978 KB2976987 KB2977759 KB2990214 KB3012973 KB3014460 KB3015249 KB3021917 KB3022345 KB3035583 KB3044374 KB3046480 KB3050265 KB3050267 KB3064683 KB3065987 KB3065988 KB3068707 KB3068708 KB3072318 KB3074677 KB3075249 KB3075851 KB3075853 KB3080149 KB3080351 KB3081427 KB3081437 KB3081451 KB3081454 KB3081954 KB3083324 KB3083325 KB3083710 KB3083711 KB3090045 KB3095675 KB3112336 KB3112343 KB3123862 KB3124275 KB3134814 KB3135445 KB3138612 KB3138615 KB3139929 KB3140166 KB3140185 KB3146449 KB3150513 KB3173040 KB4493132"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\findstr.exe

findstr /i "gwx.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface ipv6 show route | findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"

C:\Windows\system32\netsh.exe

netsh interface ipv6 show route

C:\Windows\system32\findstr.exe

findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface ipv4 show route | findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$" | findstr /r /v "0\.0\.0\.0"

C:\Windows\system32\netsh.exe

netsh interface ipv4 show route

C:\Windows\system32\findstr.exe

findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$"

C:\Windows\system32\findstr.exe

findstr /r /v "0\.0\.0\.0"

C:\Windows\system32\schtasks.exe

schtasks /query /fo list

C:\Windows\system32\findstr.exe

findstr /vr ".*\\WinSAT$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Agent Activation Runtime\\S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\OneDrive Standalone Update Task-S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AarSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AeLookupSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BcastDVRUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BluetoothUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CaptureService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cbdhsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cldflt$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\ConsentUxUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DcpSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicePickerUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicesFlowUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\diagnosticshub.standardcollector.service$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\diagsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DiagTrack$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DmWapPushService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DoSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DPS$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DsSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\fdPHost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\FDResPub$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\HPTouchpointAnalyticsService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\IEEtwCollectorService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\InstallService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\iphlpsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lanmanserver$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lfsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lmhosts$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\LxpSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MessagingService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MRxDAV$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MRxSMB10$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NcaSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NcbService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NetBT$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\NetBT

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NetMsmqActivator$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\NetMsmqActivator

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\OneSyncSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PcaSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PimIndexMaintenanceSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PrintWorkflowUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PushToInstall$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\RemoteAccess$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\RemoteRegistry$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\RetailDemo$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\sgrmbroker$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\shpamsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\SmsRouter$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\srv$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\srv

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\SSDPSRV$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\StorSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\telemetry$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\TrkWks$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrkWks

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\tunnel$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\tunnel

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\UevAgentService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\UnistoreSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\upnphost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\upnphost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\UserDataSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\VDWFP$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\VisualDiscovery$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\W32Time$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WaaSMedicSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wcncsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WdiServiceHost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WdiSystemHost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WebClient$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WebClient

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wercplsupport$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WerSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WerSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WinHttpAutoProxySvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WinRM$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WinRM

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wisvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wlidsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WMPNetworkSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WpnService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WpnUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\xbgm$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XblAuthManager$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XblGameSave$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XboxGipSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XboxNetApiSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NvTelemetryContainer$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger" | findstr /v "ReadyBoot EventLog- Status" | findstr /i ".*\\WMI\\Autologger\\.*"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger"

C:\Windows\system32\findstr.exe

findstr /v "ReadyBoot EventLog- Status"

C:\Windows\system32\findstr.exe

findstr /i ".*\\WMI\\Autologger\\.*"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:0"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:1"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:2"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PerfPipeUserSession:3"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RAC_PS"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\findstr.exe

findstr /a:0f "." "/.\'" nul

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:2f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" 2>NUL

C:\Windows\system32\xcopy.exe

xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat" nul /z

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB971033"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2876229"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2882822"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2902907"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2922324"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2952664"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2976978"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2976987"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2977759"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB2990214"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3012973"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3014460"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3015249"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3021917"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3022345"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3035583"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3044374"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3046480"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3050265"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3050267"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3064683"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3065987"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3065988"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3068707"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3068708"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3072318"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3074677"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3075249"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3075851"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3075853"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3080149"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3080351"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3081427"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3081437"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3081451"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3081454"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3081954"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3083324"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3083325"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3083710"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3083711"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3090045"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3095675"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3112336"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3112343"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3123862"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3124275"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3134814"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3135445"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3138612"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3138615"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3139929"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3140166"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3140185"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3146449"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3150513"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB3173040"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

C:\Windows\system32\findstr.exe

findstr "KB4493132"

C:\Windows\system32\schtasks.exe

schtasks /query /fo list

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Agent Activation Runtime\\S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\OneDrive Standalone Update Task-S-1-5-21-406356229-2805545415-1236085040-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AarSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AeLookupSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\sc.exe

sc stop AeLookupSvc

C:\Windows\system32\sc.exe

sc pause AeLookupSvc

C:\Windows\system32\sc.exe

sc stop AeLookupSvc

C:\Windows\system32\sc.exe

sc config AeLookupSvc start= disabled

C:\Windows\system32\reg.exe

reg add HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo AeLookupSvc "

C:\Windows\system32\findstr.exe

findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BcastDVRUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BluetoothUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CaptureService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cbdhsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cldflt$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\ConsentUxUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DcpSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicePickerUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicesFlowUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\diagnosticshub.standardcollector.service$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\diagsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DiagTrack$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DmWapPushService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DoSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DPS$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DsSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\fdPHost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\FDResPub$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\HPTouchpointAnalyticsService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\IEEtwCollectorService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\sc.exe

sc stop IEEtwCollectorService

C:\Windows\system32\sc.exe

sc pause IEEtwCollectorService

C:\Windows\system32\sc.exe

sc stop IEEtwCollectorService

C:\Windows\system32\sc.exe

sc config IEEtwCollectorService start= disabled

C:\Windows\system32\reg.exe

reg add HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo IEEtwCollectorService "

C:\Windows\system32\findstr.exe

findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\InstallService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\iphlpsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lanmanserver$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\sc.exe

sc stop lanmanserver

C:\Windows\system32\sc.exe

sc pause lanmanserver

C:\Windows\system32\sc.exe

sc stop lanmanserver

C:\Windows\system32\sc.exe

sc config lanmanserver start= disabled

C:\Windows\system32\reg.exe

reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo lanmanserver "

C:\Windows\system32\findstr.exe

findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lfsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lmhosts$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\LxpSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MessagingService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MRxDAV$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

C:\Windows\system32\sc.exe

sc stop MRxDAV

C:\Windows\system32\sc.exe

sc pause MRxDAV

C:\Windows\system32\sc.exe

sc stop MRxDAV

C:\Windows\system32\sc.exe

sc config MRxDAV start= disabled

C:\Windows\system32\reg.exe

reg add HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV /v Start /t REG_DWORD /d 4 /f

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo MRxDAV "

C:\Windows\system32\findstr.exe

findstr /r "\<HPTouchpointAnalyticsService\> \<VDWFP\> \<VisualDiscovery\> \<NvTelemetryContainer\>"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MRxSMB10$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x3$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[1-2]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxSMB10

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x0$"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 112.2o7.net udp
US 8.8.8.8:53 112.2o7.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1storecatalogrevocation.storequality.microsoft.com udp
US 8.8.8.8:53 1storecatalogrevocation.storequality.microsoft.com udp
US 8.8.8.8:53 1storecatalogrevocation.storequality.microsoft.com udp
US 8.8.8.8:53 1storecatalogrevocation.storequality.microsoft.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2624-0-0x0000000140000000-0x00000001400B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\589B.tmp\589C.tmp\589D.bat

MD5 094fe951e317efb61ed1f050cd6d4220
SHA1 a9ee17b0573d9191da8242f6922075e3c2a021a2
SHA256 9ed136a0badeae075bb4298500840a4b9a53365ee11449af0cf25886f25f206b
SHA512 9a0571f51deced515e3c125ef54bbc30e7d1afb45d8bd2d84525b8cc555c36cad0cefd6cf8c1a8b68e7eaef7d3f23eab133680387ae3cb26d24ca8d40fcd0f58

C:\Users\Admin\AppData\Local\Temp\'

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 a81cced386011e782b43c0d3251b560b
SHA1 6b7d165226b6a6a9c09c114917d6f7b70ed3d52b
SHA256 aa03808fa7d3d597c9532b62ac48a55e5796cc947fedc98becb5e41f15f8e2e9
SHA512 215273e2c7f2dee477cf55db257cf91b6c9666ab21d8cb07f273371239bc267b8ef634ca9ea396fe4252351fe64f60eac436faedab1bd8d2d78234cf3fa95608

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 44f81b751ab0e430f91039661badb994
SHA1 8c6c0a80f9545745bccb1dc60208e90954c025ec
SHA256 c9061f8a635d7b49893673b6c69d3c400972e45f221f698efde216d476f9387e
SHA512 e5dd78db2bab945bcbb56242579e82ea670033410f48f22c5dd52621db1811be2c7e1dc134ab563355113e437b536a8e5abf931fa700705721a89172a5e1aa8e

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 91418fff4aedc3c32effe9e134de31c7
SHA1 9e399d8a14d2848736e3e79d9768f9384ffdfaf0
SHA256 c146fe1ea70d4f8919324ebf2e05386a081365b006f14fa7d4de18e16b08b7b8
SHA512 611f10e011b458a77bf94b5cfb0f7f5a8095df46f2e41db491ae7407264acd059cc728cb1837ab0274c481b6dd7e156f45608450ab707036310acd9fcee00349

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 314facf04e765b8d30c8394a8db979cf
SHA1 898c853f7367027f3f9755ae28c9ab5d3d7aceda
SHA256 30a27a15ee3b707af70bcf7e3010c8d95fb2210c5f2ec39b3cbc11030a8d971d
SHA512 ae4350a37227b38c707b12e323f309091fd0f1bcb56a1b912bb2fe7d9ea89982c588beb2dbdde637fcbf9af2cfbe35deb0c461b36ea57d2c9319ac4d765b4d60

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 cf0e6212974313466638c2ee46fb0d0f
SHA1 e59d48fb0dd400f65d62f542b554b0157adb7735
SHA256 6f64b34df0d4a3cde3050a75636f79354f5c800e0fbf50d6456a371b63926120
SHA512 4e2f23238b889f84b59e0d83b5ef2e3981bbfa4506f114b2e53986eae7cb0a028c59ed6f039428be0dbea67df6de454c611ee4016f3327ce88cab7bd63172395

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 3884887f65745965da0fe42ff68e8e46
SHA1 5001b2948c288653e16248f8761b4c9ed8900044
SHA256 08b46b6d09e7678b034b1ccf96a366f71d001127554bef9fd97fff7873beda99
SHA512 9ed3406b7272eee3a13731f1649e1fd2f3273f472f5dc192e749afd0ac5e4f4f7d46d4447212b880f8730bb3b46bf0c842d3648a6101f1493b7a111b72e09788

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 69fbb26c1d8f4df2a309f9cf88340928
SHA1 990792f5db60f5a27fed21303039459dca6cc877
SHA256 fbfaac26f2d0240a0764407c4848e8989b09855988f63023b4b0faec9970d929
SHA512 7c60adc20b4df64f34c1e727d650de14509bd1033e86c22729de4eb958ae92e14cdb920a902f8605f21b23c714b34017454c89db352d0f299b019283388367b3

C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp

MD5 e78b508639d9713e3cec177c0a9567fa
SHA1 c73bcf9cd8c9300192025333ba26421b1714b6ef
SHA256 01c6fc41031b1e402226bddc83b677a81d5407787451bebaccc3e3c2bca46f1b
SHA512 a6bdf6d032f59b6cf2a26206e5a495336c54b15f57411b8811e6bc2d989fd2c984e91b64c5d1740aea37e5afd63403c0e38eb2475d91972349260154bb025a4e

memory/2624-33-0x0000000140000000-0x00000001400B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 4e13bc2227bf31265b8db09593cb3657
SHA1 85ad3efe4613e7a37d697b9a72e0bc1bcbda1c57
SHA256 037dc57dd95d18bf446bfc091c84df9659c83ec31a2bf28332833a2af902d10c
SHA512 c699d077d94a6b37239dc2da072f62f947bd140d7be9b8ccb3338fe101dfb9aff07b99aa2b924e20df1a99abf4f18089ce1d9d9c16fdd5d0468d1e8f24cdbf15

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 943471f039cb82d7e5a146f2397807c3
SHA1 fc5d5e2f5bd4caf930ae823a080754b3bc3c8d2e
SHA256 92eddbb3afb6348f90603b48a65b7e3d300b525107b5d6299b5738d2517d4dff
SHA512 25dec352d18b6263ffefaadf8f5acb0509a4a437425a8d9af96623696f7d6db5d1f9bc6197ecfffbbfad10c045ab5a6f71ba074d45e9d1388fac40533bbb4b8d

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 266b2aabcd30d0afd83540daae99a22b
SHA1 6e94ebdc327d1581eab746c27cfe816948c38ab7
SHA256 6921ef6e2f742568023da2ec7bb3eb0e0b0d85820c1471a0c95c959dac19c8be
SHA512 738cf6d936301f1b049e934710002432b6a2689aceaeb3be80b6dbcb41deadf553d83fa7ea8851234e6917e1582da6545aaf22b0e31e0c5baa9144e68bea4051

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 3b2db7343a54976591a5168e04c80a6b
SHA1 ff675e5d08a05a245a95251c5925b6a2e8ef60b3
SHA256 d8bd301831591a8060a2e48625a783bdbe4e22d380f9f7b2a0fb463e1711b323
SHA512 db3058f54a57852501005308a6b4cd524e0e780bcf26dcec7a80827bf7120ab21b87bec68bc154e7d7c89be284e2358e41a403cbebff85926b97b98444c5c33d

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 970785299fcc92ab24103af56c64cfd3
SHA1 72a8bada2a8aa69634c5b7ac2bb850c8ef3f3d48
SHA256 59204b27e2569e9c5a481af3886abe6bc4b8dda6a450102b84612e72a90f151c
SHA512 93dbf4989db1e7cf5fda8ff02ebd2eacc4ae74142ddd328a103c3034724eea04621777dc742a6a347bad91468b4890675efddc8024f05a35eb9f13dd7c73dc81

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 d848215b6764a9ec4f96ebb68a18ab8e
SHA1 985534b9ac7ce7f764adb4f2a12d9f384f9e1cce
SHA256 166b013db8c49ca1db500d14a9b1e157c20a28497a559a9a07b37d91881705b9
SHA512 4f1554e89ad0c8a4e68a6484c98bc3fac14f6d71a90280f3d83e0ebea53d96c2738751749c666449c5d137fc70bef317f7d10d8da107b58d6eb26cdef7d4f296

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 8d0147ec334f4b2567029dfce703fcde
SHA1 b1821df7c08d996d0d4fd09165ba2c6e2b2ecc24
SHA256 a4307857231aad4e1ad6c49fd5cc4e5ecaa593cf671fbe48c3002e4fa604fdf2
SHA512 6e3d14675079e0c5869a1879c5a33e8082b2ad90a716fe9f6d66a660a40ee110935c0bbb668b8bf4c190e9fb28582d6c4e9942b04c7a30417323dafe2146aeea

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 c82a9ecd14c067e8a52e2ae041d5790f
SHA1 9491863a587f01917a6de13235721f769f4ecbf9
SHA256 db036483e8b88559a05534170f842bf0339f6f258122845568345ec8e4402782
SHA512 127ab799d673ad3ec8d2ed7e9fff5758ed241b1be6c3039c499385b35dc9f7db007d92477c905995da69b7f4679ef528352f5ea2978e23bc2f4017dbdbdf4b78

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 599f806a626dda2fa2cbc755e98b5bb4
SHA1 30d69b664f0eb40102a1de9dc34e7a2fa33f21e5
SHA256 702ef14a4166667a42ee50f5a04298c951ba7464653e04ea04a6610386ac6c33
SHA512 318a531b6991ec1bebc21ded11555c3043e6674eb68b11218aa47ac4782463c3e8d58620a5b6d69860a659ac383cd3cc404fc659c85c839ecbba7f30b9fb981e

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 3c0e051cae923ef7acf4d09afdfd0427
SHA1 a7c7b28c1f749cf9e1514c9d2198b7c08ceb5d05
SHA256 823762c92e56396a66bbcac80faa9a3f52f7b05351dbd43369a22dad8c38d010
SHA512 0b6192ca85587a765591409900ac45c333f600ed08f4dc1a10993317d6d048cd0beb05981109b738fe5527fd92e5ee2d819d273f55bf0c5c49e594a5966abee4

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 7599a325cf1a36c246a529fcdc275997
SHA1 1d833c66beba196c98c52e66729d558d04a2dd49
SHA256 44242cb16a6ec0f8d095269b2b996c9653e186db83279bf1ace7c8c6064c23ca
SHA512 14b0b24f90a3cc32ea2a6793a0958b2fb8a2149f4100d121bec07f7beb7a84f40db74fd7e4c09b2704d96f98d1d7203b2708930e4c2e2ca5d6604a6b8cc61aae

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 9e02df7d26d8ae7e4ee4ea7d2964ce51
SHA1 e29683d5bdabf7b5d4c347ab876fd25aac8bd63d
SHA256 b9e90e86fc813ccc451903725367bb124e688d1a12a9d742ec74eec09dc818e4
SHA512 1fbfc402fca8a8a364ea13548f072db88a5b50212a9e413bbfe40d2947484d78f71b618d1916eab7217037b490ac8812b430d39b19e030885dd39e605d6f53cc

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 237c381ff62b8ad803b2e46b84bdd865
SHA1 6726124b70a147d2212f970c56132c433c1cbb4e
SHA256 aecdb30ec71648ba9c362bc9534cd72f99358387bc2ca2e6b78cd5353d61cc63
SHA512 e6c0b0e484b21c98b0c744a88621310d7e66d75a757ff1732277ed833889bfc507e6026d41cad379583c161ef82facf55f286f85c52d4bb5316efd768969a7bd

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 b480255996df220923cdfe9fa128f1f2
SHA1 4ba834d3670d39570b9a183d6f1f4ea7ef8fa0bc
SHA256 f12bc136869e8891ed61eac10fdf52074f9cb3ac3c56a897ab141a36ad5526f8
SHA512 12b6e0ae104849c93b9844eff74256327ec51aaedcfe9fc5ecc88f9b15cd632e691c5f4ccf88d8642c63d537af06bab998e57d0270a9457d97ebd912fc3b166d

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 0efa62e28f946112649b917f19e96c90
SHA1 be33e7fb85194a025460bf9dabd7236e7935e7ba
SHA256 6ac5c33ccc6b9db0424c3c38acda4ee0aacf21155aef111857f4889080c93400
SHA512 6497b3aea9d35fbbbf87f8253e61442e590f3a432ed53e166aa3d14c9d54afd73da0b1b44850b6f6e00674e427b818dafaa1c463057be0f5baba0d9edcf962d9

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 9e5bc90abc2d668ec0edeafd847a367c
SHA1 f12743d1f5407546eb70c162d53d6a05870b680f
SHA256 ea94e743be9a8e6c294bccf4f3f7bd0a0f459aecb6d272098e91eab3fade3a23
SHA512 17f5ad246b0d93e7f3d51227797ac6f0a380799a688c8dd1ab233d82938d1b21c86a2a256e42e6814d3efed24252101f4082c056bd17366a1a70aad7aa090649

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 e75b24a3f3a9a5e65ee890cc95be6949
SHA1 89b90b0251baa77a186d00ef3e8ffc76edd65aba
SHA256 5b0e23aef6a89ee46f0b96fc8a820dc9feca59ff3c2a49b1979f692796a4c9d7
SHA512 3887322d4f485379980c4130d3109824fe54558e3836bf68fe01d1842b5cc5acda726b8fc4a70d7f2df5e00ba329061eb2e606bd3a2d956974675f873777d0ff

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 8da145462f785db926f4289d0a9c2fdb
SHA1 32c2bd035bdc95f1d3c7ed4850545004653eb1ed
SHA256 2556082038f3a5bd5752b774971e7a5744a5f7a17452277ef46b215c73de2132
SHA512 958fc6e754036bba5cdee1638639586ccde6b3adc6deadc5c8ac1cf10e8a06db9d3c44d13957eab0ca2d31ba70adfdac5e6be6616ebc1d109a91b27700044caa

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 28b4ffd6efb374469609c1d8fba31c4d
SHA1 6e70d8ce6a3d22c3f8e1ed7aa5b70556712331f8
SHA256 b0eacbaca80bce3d73d60c5ee14e219573474fcf9c94a269e61746b09f6e1fba
SHA512 88ff8492390e577770f1a47d773c981b2f662962d37f6ad43eec40571442dd0c9300f88af51e5dc91fa62274e8498c4d2b8106ef910af7eb8299fd69268dac0f

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 1e930993fa6581249e4c13726d1cb09d
SHA1 f34f88fddcea971d4ee8cfd27b18f62fd11f5df2
SHA256 cd8746fce7c39374e2612724cb78ba4d6d8bf9a326d0804f464516039c7a482f
SHA512 b918c8360e8d5b998e8e92ec2e075dab749c0faabb3a652d3c92338985f01912664d0828b9cb061786b32ce875d1bd718baccdf32c7553ccda15dbdc3216883a

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 f59c8225d45fea0c2f3ac81076972e64
SHA1 eab8e70c711290d71e86aad0de22bbc470f0272c
SHA256 969df9f0b907b29ea0c707e677b3cfccc845eeb9c79a0f876ccc3c0a19f49aa0
SHA512 d3783e7f962b14af39274a5fe3dfdf0b9c05dfd2c9142686c4b68af6dc6d6c558ef39996ed047696224294e09b2ef9fe8916d9afe1ce73ea85572f6d4f4ef67a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 14:57

Reported

2024-03-18 15:02

Platform

win10v2004-20240226-en

Max time kernel

243s

Max time network

248s

Command Line

"C:\Users\Admin\AppData\Local\Temp\blackbird.exe"

Signatures

Turns off Windows Defender SpyNet reporting

evasion

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Program Files\WindowsApps C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Program Files\WindowsApps C:\Windows\system32\attrib.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Windows logging functionality

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CortanaStartupId N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CortanaStartupId\State = "1" N/A N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt\shell\open N/A N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData N/A N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt\shell\open\command N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft N/A N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-msdt\shell N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\blackbird.exe C:\Windows\system32\cmd.exe
PID 232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\blackbird.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 4668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2156 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2156 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2156 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2156 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2156 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2156 wrote to memory of 3632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2156 wrote to memory of 3632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2156 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3560 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3560 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3560 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3560 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 3976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1348 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1348 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1348 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1348 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1348 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1348 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1716 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1716 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1716 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2308 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2156 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2156 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\subst.exe
PID 2156 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\subst.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\blackbird.exe

"C:\Users\Admin\AppData\Local\Temp\blackbird.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat C:\Users\Admin\AppData\Local\Temp\blackbird.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;; "

C:\Windows\system32\find.exe

find /C /I "\system32;"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;; "

C:\Windows\system32\find.exe

find /C /I "\wbem;"

C:\Windows\system32\reg.exe

reg add HKLM /F

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\shutdown.exe

shutdown /a

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic /node:"ETDALPOV" COMPUTERSYSTEM GET USERNAME | findstr /i "ETDALPOV"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:"ETDALPOV" COMPUTERSYSTEM GET USERNAME

C:\Windows\system32\findstr.exe

findstr /i "ETDALPOV"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\blackbirds_temp "

C:\Windows\system32\findstr.exe

findstr /i ".*\\blackbirds_temp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps; "

C:\Windows\system32\findstr.exe

findstr /i "powershell"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mode con|findstr /n "^"|findstr /l /b /c:"5:"

C:\Windows\system32\mode.com

mode con

C:\Windows\system32\findstr.exe

findstr /n "^"

C:\Windows\system32\findstr.exe

findstr /l /b /c:"5:"

C:\Windows\system32\reg.exe

reg query "HKCU\Control Panel\Desktop"

C:\Windows\system32\findstr.exe

findstr /ir "\<PreferredUILanguages.*REG_MULTI_SZ "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage" | findstr /ir "\<InstallLanguage.*REG_SZ "

C:\Windows\system32\reg.exe

reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage"

C:\Windows\system32\findstr.exe

findstr /ir "\<InstallLanguage.*REG_SZ "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_useraccount where name='Admin' get sid"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_useraccount where name='Admin' get sid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files (x86)\" "

C:\Windows\system32\findstr.exe

findstr /irc:"NVIDIA Corporation"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:60 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface ipv6 show route | findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"

C:\Windows\system32\netsh.exe

netsh interface ipv6 show route

C:\Windows\system32\findstr.exe

findstr /rc:".* 1 .*\:.*\:.*\:.*/128 .* \:\:1$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh interface ipv4 show route | findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$" | findstr /r /v "0\.0\.0\.0"

C:\Windows\system32\netsh.exe

netsh interface ipv4 show route

C:\Windows\system32\findstr.exe

findstr /rc:".* 1 .*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/32 .* 127.0.0.0$"

C:\Windows\system32\findstr.exe

findstr /r /v "0\.0\.0\.0"

C:\Windows\system32\schtasks.exe

schtasks /query /fo list

C:\Windows\system32\findstr.exe

findstr /vr ".*\\UpdateOrchestrator\\Schedule.*Scan$ .*\\USO_Broker_Display$ .*\\USO_UxBroker$ .*\\WinSAT$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Agent Activation Runtime\\S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\OneDrive Standalone Update Task-S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:" \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AarSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\AarSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AeLookupSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BcastDVRUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BcastDVRUserService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BluetoothUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\BluetoothUserService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CaptureService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CaptureService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cbdhsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cldflt$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\cldflt

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\ConsentUxUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\ConsentUxUserSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DcpSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationBrokerSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicePickerUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DevicePickerUserSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicesFlowUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\diagnosticshub.standardcollector.service$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\diagsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\diagsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DiagTrack$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DmWapPushService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DmWapPushService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DoSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DPS$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DsSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\DsSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\fdPHost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\fdPHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\FDResPub$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\FDResPub

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\HPTouchpointAnalyticsService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\IEEtwCollectorService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\InstallService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\InstallService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\iphlpsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lanmanserver$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lfsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lfsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\lmhosts$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\LxpSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\LxpSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MessagingService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MessagingService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MRxDAV$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\MRxSMB10$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NcaSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\NcaSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NcbService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\NcbService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NetBT$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\NetBT

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NetMsmqActivator$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\OneSyncSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PcaSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PimIndexMaintenanceSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PrintWorkflowUserSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\PushToInstall$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\PushToInstall

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\RemoteAccess$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\RemoteRegistry$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\RetailDemo$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\RetailDemo

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\sgrmbroker$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\sgrmbroker

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\shpamsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\shpamsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\SmsRouter$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\srv$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\SSDPSRV$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\StorSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\StorSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\telemetry$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\telemetry

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\TrkWks$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\TrkWks

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\tunnel$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\tunnel

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\UevAgentService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UevAgentService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\UnistoreSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\upnphost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\upnphost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\UserDataSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\VDWFP$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\VisualDiscovery$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\W32Time$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WaaSMedicSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wcncsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WdiServiceHost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WdiSystemHost$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WebClient$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WebClient

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wercplsupport$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WerSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WerSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WinHttpAutoProxySvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WinRM$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WinRM

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wisvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wisvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\wlidsvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WMPNetworkSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WpnService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WpnService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\WpnUserService$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\xbgm$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XblAuthManager$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XblGameSave$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XboxGipSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\XboxGipSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\XboxNetApiSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc

C:\Windows\system32\findstr.exe

findstr /irc:" start .*REG_DWORD .*0x[0-3]$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\NvTelemetryContainer$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger" | findstr /v "ReadyBoot Defender EventLog- Status" | findstr /i ".*\\WMI\\Autologger\\.*"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger"

C:\Windows\system32\findstr.exe

findstr /v "ReadyBoot Defender EventLog- Status"

C:\Windows\system32\findstr.exe

findstr /i ".*\\WMI\\Autologger\\.*"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Cellcore"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\CloudExperienceHostOobe"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DataMarket"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\HolographicDevice"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Mellanox-Kernel"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-AssignedAccess-Trace"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NetCore"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RadioMgr"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatform"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatformTel"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SpoolerLogger"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TileStore"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSession"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSessionRepro"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiSession"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WinPhoneCritical"

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x1$"

C:\Windows\system32\reg.exe

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo

C:\Windows\system32\findstr.exe

findstr /irc:" Id .*REG_SZ .*null$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\findstr.exe

findstr /a:0f "." "/.\'" nul

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x4$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv

C:\Windows\system32\findstr.exe

findstr /irc:" Start .*REG_DWORD .*0x[1-3]$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:02 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:3f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"

C:\Windows\system32\subst.exe

subst ': "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\findstr.exe

findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" 2>NUL

C:\Windows\system32\xcopy.exe

xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat" nul /z

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\upfc.exe"

C:\Windows\system32\findstr.exe

findstr /irc:".*System.*(RX)"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\system32\upfc.exe" /a

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\upfc.exe" /grant:r system:r /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\upfc.exe" /grant:r "nt service\trustedinstaller:r" /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\upfc.exe" /grant:r *S-1-5-32-544:f /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\upfc.exe" /setowner "nt service\trustedinstaller" /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Windows\system32\upfc.exe" /grant:r *S-1-5-32-544:r /C /Q

C:\Windows\system32\attrib.exe

attrib -s -h -r /S /D "C:\Program Files\WindowsApps"

C:\Windows\system32\attrib.exe

attrib -s -h -r /S /D "C:\Users\Admin\AppData\Local\Packages"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps"

C:\Windows\system32\findstr.exe

findstr /irc:"ETDALPOV.*Admin.*(F)"

C:\Windows\system32\attrib.exe

attrib -h /D "C:\Program Files\WindowsApps"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps" /grant:r *S-1-5-32-544:f /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Packages"

C:\Windows\system32\findstr.exe

findstr /irc:"ETDALPOV.*Admin.*(F)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /a:d /b "C:\Users\Admin\AppData\Local\Packages" | findstr /i ".*Advertising.*" | findstr /iv ".*BlackbirdBackup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" dir /a:d /b "C:\Users\Admin\AppData\Local\Packages" "

C:\Windows\system32\findstr.exe

findstr /i ".*Advertising.*"

C:\Windows\system32\findstr.exe

findstr /iv ".*BlackbirdBackup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /a:d /b "C:\Program Files\WindowsApps" | findstr /i ".*Advertising.*" | findstr /iv ".*BlackbirdBackup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" dir /a:d /b "C:\Program Files\WindowsApps" "

C:\Windows\system32\findstr.exe

findstr /i ".*Advertising.*"

C:\Windows\system32\findstr.exe

findstr /iv ".*BlackbirdBackup"

C:\Windows\system32\attrib.exe

attrib -h /D /S "C:\Program Files\WindowsApps"

C:\Windows\system32\takeown.exe

takeown /a /f "C:\Program Files\WindowsApps"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps" /grant:r *S-1-5-32-544:f /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" | findstr /i ".*\.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" "

C:\Windows\system32\findstr.exe

findstr /i ".*\.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /a /r /d y

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /grant:r *S-1-5-32-544:f /T /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove:g SYSTEM /inheritance:r /deny "SYSTEM:(OI)(CI)(IO)(F)" /T /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove TrustedInstaller /T /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove "ALL RESTRICTED APPLICATION PACKAGES" /T /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove "ALL APPLICATION PACKAGES" /T /C /Q

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe" /remove "APPLICATION PACKAGE AUTHORITY" /T /C /Q

C:\Windows\system32\taskkill.exe

taskkill /F /IM searchUI.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM browser_broker.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RuntimeBroker.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RemindersServer.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM backgroundTaskHost.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM MicrosoftEdge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM MicrosoftEdgeCP.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM MicrosoftEdgeSH.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM MicrosoftEdgeBCHost.exe

C:\Windows\system32\schtasks.exe

schtasks /query /fo list

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Agent Activation Runtime\\S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Information\\Device User$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\RecommendedTroubleshootingScanner$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Diagnosis\\Scheduled$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\ReconcileFeatures$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataFlushing$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\FeatureConfig\\UsageDataReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\LocalUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\MouseSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\PenSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Input\\TouchpadUserSyncDataAvailable$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Cellular$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Management\\Provisioning\\Logon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\EOSNotify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Maintenance Install$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_AC$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot_Battery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Report policies$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Disable-ScheduledTask -TaskName 'Report policies' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Disable-ScheduledTask -TaskName 'Schedule Scan' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Disable-ScheduledTask -TaskName 'Schedule Scan Static Task' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Wake To Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Disable-ScheduledTask -TaskName 'USO_UxBroker' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UpdateOrchestrator\\UpdateModelTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\schtasks.exe

schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"

C:\Windows\system32\findstr.exe

findstr /irc:" Disabled .*$"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Disable-ScheduledTask -TaskName 'UpdateModelTask' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\'"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WCM\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\Windows\\WlanSvc\\CDSSync$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\OneDrive Standalone Update Task-S-1-5-21-557049126-2506969350-2798870634-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\findstr.exe

findstr /irc:".*\:.* \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AarSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo AarSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" AarSvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" AarSvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\AeLookupSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BcastDVRUserService$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo BcastDVRUserService "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" BcastDVRUserService_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" BcastDVRUserService_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\BluetoothUserService$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo BluetoothUserService "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" BluetoothUserService_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" BluetoothUserService_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CaptureService$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo CaptureService "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" CaptureService_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" CaptureService_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cbdhsvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo cbdhsvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" cbdhsvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" cbdhsvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo CDPSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CDPUserSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo CDPUserSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" CDPUserSvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" CDPUserSvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\cldflt$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo cldflt "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\ConsentUxUserSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo ConsentUxUserSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" ConsentUxUserSvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" ConsentUxUserSvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo CredentialEnrollmentManagerUserSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" CredentialEnrollmentManagerUserSvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" CredentialEnrollmentManagerUserSvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DcpSvc$"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo DeviceAssociationBrokerSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" DeviceAssociationBrokerSvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" DeviceAssociationBrokerSvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DeviceAssociationService$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo DeviceAssociationService "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicePickerUserSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo DevicePickerUserSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" DevicePickerUserSvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" DevicePickerUserSvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

C:\Windows\system32\findstr.exe

findstr /irc:".*\\services\\DevicesFlowUserSvc$"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo DevicesFlowUserSvc "

C:\Windows\system32\findstr.exe

findstr /i "AarSvc BcastDVRUserService BluetoothUserService CaptureService cbdhsvc ConsentUxUserSvc CredentialEnrollmentManagerUserSvc DeviceAssociationBrokerSvc DevicePickerUserSvc PimIndexMaintenanceSvc PrintWorkflowUserSvc MessagingService CDPUserSvc DevicesFlowUserSvc OneSyncSvc UnistoreSvc UserDataSvc WpnUserService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc queryex state= all | findstr /irc:" DevicesFlowUserSvc_.*"

C:\Windows\system32\sc.exe

sc queryex state= all

C:\Windows\system32\findstr.exe

findstr /irc:" DevicesFlowUserSvc_.*"

C:\Windows\system32\reg.exe

reg query HKLM\SYSTEM\CurrentControlSet\Services

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp

Files

memory/232-0-0x0000000140000000-0x00000001400B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D43.tmp\5D44.tmp\5D45.bat

MD5 094fe951e317efb61ed1f050cd6d4220
SHA1 a9ee17b0573d9191da8242f6922075e3c2a021a2
SHA256 9ed136a0badeae075bb4298500840a4b9a53365ee11449af0cf25886f25f206b
SHA512 9a0571f51deced515e3c125ef54bbc30e7d1afb45d8bd2d84525b8cc555c36cad0cefd6cf8c1a8b68e7eaef7d3f23eab133680387ae3cb26d24ca8d40fcd0f58

C:\Users\Admin\AppData\Local\Temp\'

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 a81cced386011e782b43c0d3251b560b
SHA1 6b7d165226b6a6a9c09c114917d6f7b70ed3d52b
SHA256 aa03808fa7d3d597c9532b62ac48a55e5796cc947fedc98becb5e41f15f8e2e9
SHA512 215273e2c7f2dee477cf55db257cf91b6c9666ab21d8cb07f273371239bc267b8ef634ca9ea396fe4252351fe64f60eac436faedab1bd8d2d78234cf3fa95608

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 44f81b751ab0e430f91039661badb994
SHA1 8c6c0a80f9545745bccb1dc60208e90954c025ec
SHA256 c9061f8a635d7b49893673b6c69d3c400972e45f221f698efde216d476f9387e
SHA512 e5dd78db2bab945bcbb56242579e82ea670033410f48f22c5dd52621db1811be2c7e1dc134ab563355113e437b536a8e5abf931fa700705721a89172a5e1aa8e

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 91418fff4aedc3c32effe9e134de31c7
SHA1 9e399d8a14d2848736e3e79d9768f9384ffdfaf0
SHA256 c146fe1ea70d4f8919324ebf2e05386a081365b006f14fa7d4de18e16b08b7b8
SHA512 611f10e011b458a77bf94b5cfb0f7f5a8095df46f2e41db491ae7407264acd059cc728cb1837ab0274c481b6dd7e156f45608450ab707036310acd9fcee00349

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 314facf04e765b8d30c8394a8db979cf
SHA1 898c853f7367027f3f9755ae28c9ab5d3d7aceda
SHA256 30a27a15ee3b707af70bcf7e3010c8d95fb2210c5f2ec39b3cbc11030a8d971d
SHA512 ae4350a37227b38c707b12e323f309091fd0f1bcb56a1b912bb2fe7d9ea89982c588beb2dbdde637fcbf9af2cfbe35deb0c461b36ea57d2c9319ac4d765b4d60

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 cf0e6212974313466638c2ee46fb0d0f
SHA1 e59d48fb0dd400f65d62f542b554b0157adb7735
SHA256 6f64b34df0d4a3cde3050a75636f79354f5c800e0fbf50d6456a371b63926120
SHA512 4e2f23238b889f84b59e0d83b5ef2e3981bbfa4506f114b2e53986eae7cb0a028c59ed6f039428be0dbea67df6de454c611ee4016f3327ce88cab7bd63172395

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 3884887f65745965da0fe42ff68e8e46
SHA1 5001b2948c288653e16248f8761b4c9ed8900044
SHA256 08b46b6d09e7678b034b1ccf96a366f71d001127554bef9fd97fff7873beda99
SHA512 9ed3406b7272eee3a13731f1649e1fd2f3273f472f5dc192e749afd0ac5e4f4f7d46d4447212b880f8730bb3b46bf0c842d3648a6101f1493b7a111b72e09788

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 69fbb26c1d8f4df2a309f9cf88340928
SHA1 990792f5db60f5a27fed21303039459dca6cc877
SHA256 fbfaac26f2d0240a0764407c4848e8989b09855988f63023b4b0faec9970d929
SHA512 7c60adc20b4df64f34c1e727d650de14509bd1033e86c22729de4eb958ae92e14cdb920a902f8605f21b23c714b34017454c89db352d0f299b019283388367b3

C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp

MD5 54acdd4639cb80d35c61bfecfa767d70
SHA1 14aeed34ef32cb585cbc96eb809c5b4fd7312b87
SHA256 c6bb31338d16a8fd3a09ec41fb010f67a75999ace6981a9d7965cab15d3f9a44
SHA512 64c648b6ffb942632a4d39219a8e2861b0b2f8f6e817e3a0ac65259997c777c740c67cd00db4389fbc5e50fedc52fa4488b2c989456a5e7112c7eea7167be7fb

memory/232-32-0x0000000140000000-0x00000001400B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 4e13bc2227bf31265b8db09593cb3657
SHA1 85ad3efe4613e7a37d697b9a72e0bc1bcbda1c57
SHA256 037dc57dd95d18bf446bfc091c84df9659c83ec31a2bf28332833a2af902d10c
SHA512 c699d077d94a6b37239dc2da072f62f947bd140d7be9b8ccb3338fe101dfb9aff07b99aa2b924e20df1a99abf4f18089ce1d9d9c16fdd5d0468d1e8f24cdbf15

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 943471f039cb82d7e5a146f2397807c3
SHA1 fc5d5e2f5bd4caf930ae823a080754b3bc3c8d2e
SHA256 92eddbb3afb6348f90603b48a65b7e3d300b525107b5d6299b5738d2517d4dff
SHA512 25dec352d18b6263ffefaadf8f5acb0509a4a437425a8d9af96623696f7d6db5d1f9bc6197ecfffbbfad10c045ab5a6f71ba074d45e9d1388fac40533bbb4b8d

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 266b2aabcd30d0afd83540daae99a22b
SHA1 6e94ebdc327d1581eab746c27cfe816948c38ab7
SHA256 6921ef6e2f742568023da2ec7bb3eb0e0b0d85820c1471a0c95c959dac19c8be
SHA512 738cf6d936301f1b049e934710002432b6a2689aceaeb3be80b6dbcb41deadf553d83fa7ea8851234e6917e1582da6545aaf22b0e31e0c5baa9144e68bea4051

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 970785299fcc92ab24103af56c64cfd3
SHA1 72a8bada2a8aa69634c5b7ac2bb850c8ef3f3d48
SHA256 59204b27e2569e9c5a481af3886abe6bc4b8dda6a450102b84612e72a90f151c
SHA512 93dbf4989db1e7cf5fda8ff02ebd2eacc4ae74142ddd328a103c3034724eea04621777dc742a6a347bad91468b4890675efddc8024f05a35eb9f13dd7c73dc81

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 f8263a827d2cc8ecee893b3051f0f0d4
SHA1 927bb7b2dfa41097a016aedb3c8741373f439787
SHA256 1c5ac8e25fd1e5848d752fde2b7e5b1a418b1e896c7324006025942734a3052f
SHA512 d18abbd486ef475cb71e3eb483992d88324a495cea6e7eefbc95d940ec46dfe108d40c5bc0b92052c1fd2d0a873648571d490cad8994506dc5369a8f196373cc

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 8d0147ec334f4b2567029dfce703fcde
SHA1 b1821df7c08d996d0d4fd09165ba2c6e2b2ecc24
SHA256 a4307857231aad4e1ad6c49fd5cc4e5ecaa593cf671fbe48c3002e4fa604fdf2
SHA512 6e3d14675079e0c5869a1879c5a33e8082b2ad90a716fe9f6d66a660a40ee110935c0bbb668b8bf4c190e9fb28582d6c4e9942b04c7a30417323dafe2146aeea

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 c82a9ecd14c067e8a52e2ae041d5790f
SHA1 9491863a587f01917a6de13235721f769f4ecbf9
SHA256 db036483e8b88559a05534170f842bf0339f6f258122845568345ec8e4402782
SHA512 127ab799d673ad3ec8d2ed7e9fff5758ed241b1be6c3039c499385b35dc9f7db007d92477c905995da69b7f4679ef528352f5ea2978e23bc2f4017dbdbdf4b78

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 599f806a626dda2fa2cbc755e98b5bb4
SHA1 30d69b664f0eb40102a1de9dc34e7a2fa33f21e5
SHA256 702ef14a4166667a42ee50f5a04298c951ba7464653e04ea04a6610386ac6c33
SHA512 318a531b6991ec1bebc21ded11555c3043e6674eb68b11218aa47ac4782463c3e8d58620a5b6d69860a659ac383cd3cc404fc659c85c839ecbba7f30b9fb981e

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 0efa62e28f946112649b917f19e96c90
SHA1 be33e7fb85194a025460bf9dabd7236e7935e7ba
SHA256 6ac5c33ccc6b9db0424c3c38acda4ee0aacf21155aef111857f4889080c93400
SHA512 6497b3aea9d35fbbbf87f8253e61442e590f3a432ed53e166aa3d14c9d54afd73da0b1b44850b6f6e00674e427b818dafaa1c463057be0f5baba0d9edcf962d9

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 9e5bc90abc2d668ec0edeafd847a367c
SHA1 f12743d1f5407546eb70c162d53d6a05870b680f
SHA256 ea94e743be9a8e6c294bccf4f3f7bd0a0f459aecb6d272098e91eab3fade3a23
SHA512 17f5ad246b0d93e7f3d51227797ac6f0a380799a688c8dd1ab233d82938d1b21c86a2a256e42e6814d3efed24252101f4082c056bd17366a1a70aad7aa090649

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 e75b24a3f3a9a5e65ee890cc95be6949
SHA1 89b90b0251baa77a186d00ef3e8ffc76edd65aba
SHA256 5b0e23aef6a89ee46f0b96fc8a820dc9feca59ff3c2a49b1979f692796a4c9d7
SHA512 3887322d4f485379980c4130d3109824fe54558e3836bf68fe01d1842b5cc5acda726b8fc4a70d7f2df5e00ba329061eb2e606bd3a2d956974675f873777d0ff

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 3c0e051cae923ef7acf4d09afdfd0427
SHA1 a7c7b28c1f749cf9e1514c9d2198b7c08ceb5d05
SHA256 823762c92e56396a66bbcac80faa9a3f52f7b05351dbd43369a22dad8c38d010
SHA512 0b6192ca85587a765591409900ac45c333f600ed08f4dc1a10993317d6d048cd0beb05981109b738fe5527fd92e5ee2d819d273f55bf0c5c49e594a5966abee4

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 630ce4b131a85c9367238355707b2fa3
SHA1 fe5655144f2faa2f4e2c2595da99bfa9d169e63b
SHA256 6c3bbbc37037c45f6cfd5100f7ce860cfed590bae6ed2a844d353fdfaa7c329c
SHA512 8a25a5489cd6a0c203d495f928271221c1e2cfba25cff7b5698d8d071894e2be9c67a2e9fbac1c95ecb6e194c54e603ccc00d4477fffeb0f0109cba3a4d0d617

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 8da145462f785db926f4289d0a9c2fdb
SHA1 32c2bd035bdc95f1d3c7ed4850545004653eb1ed
SHA256 2556082038f3a5bd5752b774971e7a5744a5f7a17452277ef46b215c73de2132
SHA512 958fc6e754036bba5cdee1638639586ccde6b3adc6deadc5c8ac1cf10e8a06db9d3c44d13957eab0ca2d31ba70adfdac5e6be6616ebc1d109a91b27700044caa

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 28b4ffd6efb374469609c1d8fba31c4d
SHA1 6e70d8ce6a3d22c3f8e1ed7aa5b70556712331f8
SHA256 b0eacbaca80bce3d73d60c5ee14e219573474fcf9c94a269e61746b09f6e1fba
SHA512 88ff8492390e577770f1a47d773c981b2f662962d37f6ad43eec40571442dd0c9300f88af51e5dc91fa62274e8498c4d2b8106ef910af7eb8299fd69268dac0f

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 1e930993fa6581249e4c13726d1cb09d
SHA1 f34f88fddcea971d4ee8cfd27b18f62fd11f5df2
SHA256 cd8746fce7c39374e2612724cb78ba4d6d8bf9a326d0804f464516039c7a482f
SHA512 b918c8360e8d5b998e8e92ec2e075dab749c0faabb3a652d3c92338985f01912664d0828b9cb061786b32ce875d1bd718baccdf32c7553ccda15dbdc3216883a

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 f59c8225d45fea0c2f3ac81076972e64
SHA1 eab8e70c711290d71e86aad0de22bbc470f0272c
SHA256 969df9f0b907b29ea0c707e677b3cfccc845eeb9c79a0f876ccc3c0a19f49aa0
SHA512 d3783e7f962b14af39274a5fe3dfdf0b9c05dfd2c9142686c4b68af6dc6d6c558ef39996ed047696224294e09b2ef9fe8916d9afe1ce73ea85572f6d4f4ef67a

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 36e95110bfe5c7e3f094ae3f15c5a522
SHA1 79f4c8882af66200d903286174545c0012b55910
SHA256 150ae6592f59877a6e0aaac15db93d01bc6b77e026f2d58e0a5cc2b522319b96
SHA512 a16962f2581cf3c36a25b37e6811b2ffc11dc18e9dd274aff65bceaa10f19c4351370dc563f0cfde65a8918d24493eaac26cdae7f3fdd55785e7123803dc9af7

C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

MD5 9e699fe700519772efa1b6f45b23e10e
SHA1 c4a81031ca2fd39e523e9d6aeb8d3ab712d82745
SHA256 fecce82f4a5d654559b54faf3ef53883afe14c260b6ee7170a06eeaad7d30abf
SHA512 8e9c857eef024c1f13cc5a3d37bb3c760279b7f3e7e69654ac8af02da3c265c102f2675adf88c85ce9815232e5dbb5c39f2e2b477769a94bd58934d1fd3c5ca3

memory/2556-145-0x0000026E6D870000-0x0000026E6D892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ceb1wvbq.kqp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2556-155-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/2556-156-0x0000026E6D730000-0x0000026E6D740000-memory.dmp

memory/2556-157-0x0000026E6D730000-0x0000026E6D740000-memory.dmp

memory/2556-158-0x0000026E6D730000-0x0000026E6D740000-memory.dmp

memory/2556-161-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/1980-162-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/1980-163-0x000001EBFA5E0000-0x000001EBFA5F0000-memory.dmp

memory/1980-173-0x000001EBFA5E0000-0x000001EBFA5F0000-memory.dmp

memory/1980-175-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/4364-185-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/4364-187-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp

memory/4364-186-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp

memory/4364-188-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp

memory/4364-190-0x000001E3E8F10000-0x000001E3E8F20000-memory.dmp

memory/4364-192-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/2036-198-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/2036-200-0x000002E5BBAD0000-0x000002E5BBAE0000-memory.dmp

memory/2036-204-0x000002E5BBAD0000-0x000002E5BBAE0000-memory.dmp

memory/2036-205-0x000002E5BBAD0000-0x000002E5BBAE0000-memory.dmp

memory/2036-207-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/3904-217-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp

memory/3904-218-0x000001946F620000-0x000001946F630000-memory.dmp

memory/3904-219-0x000001946F620000-0x000001946F630000-memory.dmp

memory/3904-220-0x000001946F620000-0x000001946F630000-memory.dmp

memory/3904-222-0x00007FFC8B200000-0x00007FFC8BCC1000-memory.dmp