d49951c28db58e53ab86f40b8abb44542db3d544d8864440daf07179c3e1712a

Analysis

max time kernel
141s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 01:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

blackbird_v1.0.79.2_32/blackbird.exe
Size

551KB
MD5

7b8e60c84ed65e11cbdf18927ae7811b
SHA1

08ab14a13a07cf2ec57e18748d51a655c6867c8f
SHA256

f47f71fa9f9ef4c9ad3dd1a345a7f6fd34c32035789bc997c8d87aafdcb36326
SHA512

32f718577bc97afbdea4af2e7c394e62bcccc3fd6e83c15545f7fa37356ea9a77c1e21e8258e43a658e1a887eab9d565267510f2a96d1e58043ecba4b77b4188
SSDEEP

12288:dnrsBhkIjzSW0kj0meHvOxZ/XyCoOyM/Ne6CGZXHESoSy:N6kuSCImevOz/XyCo4/Nel

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5072-0-0x0000000000400000-0x00000000004A1000-memory.dmp	upx
behavioral2/memory/5072-42-0x0000000000400000-0x00000000004A1000-memory.dmp	upx

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4920	reg.exe
3556	reg.exe
4488	reg.exe
2584	reg.exe
2404	reg.exe
5024	reg.exe
3588	reg.exe
4564	reg.exe
2544	reg.exe
4524	reg.exe
1684	reg.exe
2380	reg.exe
636	reg.exe
3128	reg.exe
1648	reg.exe
4704	reg.exe
680	reg.exe
3700	reg.exe
3776	reg.exe
4056	reg.exe
1916	reg.exe
2872	reg.exe
5004	reg.exe
4640	reg.exe
1960	reg.exe
2544	reg.exe
3872	reg.exe
1884	reg.exe
4524	reg.exe
1972	reg.exe
2256	reg.exe
2664	reg.exe
3516	reg.exe
808	reg.exe
1164	reg.exe
1412	reg.exe
4264	reg.exe
8	reg.exe
808	reg.exe
4496	reg.exe
4012	reg.exe
3508	reg.exe
2648	reg.exe
2140	reg.exe
2816	reg.exe
3292	reg.exe
4524	reg.exe
2344	reg.exe
4428	reg.exe
4956	reg.exe
4920	reg.exe
1112	reg.exe
4840	reg.exe
4936	reg.exe
1884	reg.exe
772	reg.exe
4544	reg.exe
4864	reg.exe
388	reg.exe
4072	reg.exe
640	reg.exe
3008	reg.exe
5112	reg.exe
4764	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4348	shutdown.exe
Token: SeRemoteShutdownPrivilege	4348	shutdown.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe
Token: SeSecurityPrivilege	3700	WMIC.exe
Token: SeTakeOwnershipPrivilege	3700	WMIC.exe
Token: SeLoadDriverPrivilege	3700	WMIC.exe
Token: SeSystemProfilePrivilege	3700	WMIC.exe
Token: SeSystemtimePrivilege	3700	WMIC.exe
Token: SeProfSingleProcessPrivilege	3700	WMIC.exe
Token: SeIncBasePriorityPrivilege	3700	WMIC.exe
Token: SeCreatePagefilePrivilege	3700	WMIC.exe
Token: SeBackupPrivilege	3700	WMIC.exe
Token: SeRestorePrivilege	3700	WMIC.exe
Token: SeShutdownPrivilege	3700	WMIC.exe
Token: SeDebugPrivilege	3700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3700	WMIC.exe
Token: SeRemoteShutdownPrivilege	3700	WMIC.exe
Token: SeUndockPrivilege	3700	WMIC.exe
Token: SeManageVolumePrivilege	3700	WMIC.exe
Token: 33	3700	WMIC.exe
Token: 34	3700	WMIC.exe
Token: 35	3700	WMIC.exe
Token: 36	3700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe
Token: SeSecurityPrivilege	3700	WMIC.exe
Token: SeTakeOwnershipPrivilege	3700	WMIC.exe
Token: SeLoadDriverPrivilege	3700	WMIC.exe
Token: SeSystemProfilePrivilege	3700	WMIC.exe
Token: SeSystemtimePrivilege	3700	WMIC.exe
Token: SeProfSingleProcessPrivilege	3700	WMIC.exe
Token: SeIncBasePriorityPrivilege	3700	WMIC.exe
Token: SeCreatePagefilePrivilege	3700	WMIC.exe
Token: SeBackupPrivilege	3700	WMIC.exe
Token: SeRestorePrivilege	3700	WMIC.exe
Token: SeShutdownPrivilege	3700	WMIC.exe
Token: SeDebugPrivilege	3700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3700	WMIC.exe
Token: SeRemoteShutdownPrivilege	3700	WMIC.exe
Token: SeUndockPrivilege	3700	WMIC.exe
Token: SeManageVolumePrivilege	3700	WMIC.exe
Token: 33	3700	WMIC.exe
Token: 34	3700	WMIC.exe
Token: 35	3700	WMIC.exe
Token: 36	3700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1960	WMIC.exe
Token: SeSecurityPrivilege	1960	WMIC.exe
Token: SeTakeOwnershipPrivilege	1960	WMIC.exe
Token: SeLoadDriverPrivilege	1960	WMIC.exe
Token: SeSystemProfilePrivilege	1960	WMIC.exe
Token: SeSystemtimePrivilege	1960	WMIC.exe
Token: SeProfSingleProcessPrivilege	1960	WMIC.exe
Token: SeIncBasePriorityPrivilege	1960	WMIC.exe
Token: SeCreatePagefilePrivilege	1960	WMIC.exe
Token: SeBackupPrivilege	1960	WMIC.exe
Token: SeRestorePrivilege	1960	WMIC.exe
Token: SeShutdownPrivilege	1960	WMIC.exe
Token: SeDebugPrivilege	1960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1960	WMIC.exe
Token: SeRemoteShutdownPrivilege	1960	WMIC.exe
Token: SeUndockPrivilege	1960	WMIC.exe
Token: SeManageVolumePrivilege	1960	WMIC.exe
Token: 33	1960	WMIC.exe
Token: 34	1960	WMIC.exe
Token: 35	1960	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1548	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4636	5072	blackbird.exe	85
PID 5072 wrote to memory of 4636	5072	blackbird.exe	85
PID 4636 wrote to memory of 4964	4636	cmd.exe	90
PID 4636 wrote to memory of 4964	4636	cmd.exe	90
PID 4636 wrote to memory of 752	4636	cmd.exe	91
PID 4636 wrote to memory of 752	4636	cmd.exe	91
PID 4636 wrote to memory of 4348	4636	cmd.exe	92
PID 4636 wrote to memory of 4348	4636	cmd.exe	92
PID 4636 wrote to memory of 4424	4636	cmd.exe	93
PID 4636 wrote to memory of 4424	4636	cmd.exe	93
PID 4636 wrote to memory of 3064	4636	cmd.exe	94
PID 4636 wrote to memory of 3064	4636	cmd.exe	94
PID 3064 wrote to memory of 3700	3064	cmd.exe	95
PID 3064 wrote to memory of 3700	3064	cmd.exe	95
PID 3064 wrote to memory of 4928	3064	cmd.exe	96
PID 3064 wrote to memory of 4928	3064	cmd.exe	96
PID 4636 wrote to memory of 4268	4636	cmd.exe	98
PID 4636 wrote to memory of 4268	4636	cmd.exe	98
PID 4636 wrote to memory of 404	4636	cmd.exe	99
PID 4636 wrote to memory of 404	4636	cmd.exe	99
PID 4636 wrote to memory of 4476	4636	cmd.exe	100
PID 4636 wrote to memory of 4476	4636	cmd.exe	100
PID 4636 wrote to memory of 3300	4636	cmd.exe	101
PID 4636 wrote to memory of 3300	4636	cmd.exe	101
PID 4636 wrote to memory of 4136	4636	cmd.exe	102
PID 4636 wrote to memory of 4136	4636	cmd.exe	102
PID 4636 wrote to memory of 720	4636	cmd.exe	103
PID 4636 wrote to memory of 720	4636	cmd.exe	103
PID 720 wrote to memory of 5048	720	cmd.exe	104
PID 720 wrote to memory of 5048	720	cmd.exe	104
PID 720 wrote to memory of 4216	720	cmd.exe	105
PID 720 wrote to memory of 4216	720	cmd.exe	105
PID 720 wrote to memory of 3380	720	cmd.exe	106
PID 720 wrote to memory of 3380	720	cmd.exe	106
PID 4636 wrote to memory of 5044	4636	cmd.exe	107
PID 4636 wrote to memory of 5044	4636	cmd.exe	107
PID 4636 wrote to memory of 3748	4636	cmd.exe	108
PID 4636 wrote to memory of 3748	4636	cmd.exe	108
PID 4636 wrote to memory of 2120	4636	cmd.exe	109
PID 4636 wrote to memory of 2120	4636	cmd.exe	109
PID 2120 wrote to memory of 2404	2120	cmd.exe	110
PID 2120 wrote to memory of 2404	2120	cmd.exe	110
PID 2120 wrote to memory of 4524	2120	cmd.exe	111
PID 2120 wrote to memory of 4524	2120	cmd.exe	111
PID 4636 wrote to memory of 776	4636	cmd.exe	113
PID 4636 wrote to memory of 776	4636	cmd.exe	113
PID 776 wrote to memory of 1960	776	cmd.exe	114
PID 776 wrote to memory of 1960	776	cmd.exe	114
PID 4636 wrote to memory of 4840	4636	cmd.exe	116
PID 4636 wrote to memory of 4840	4636	cmd.exe	116
PID 4636 wrote to memory of 3280	4636	cmd.exe	117
PID 4636 wrote to memory of 3280	4636	cmd.exe	117
PID 4636 wrote to memory of 4016	4636	cmd.exe	118
PID 4636 wrote to memory of 4016	4636	cmd.exe	118
PID 4636 wrote to memory of 1112	4636	cmd.exe	119
PID 4636 wrote to memory of 1112	4636	cmd.exe	119
PID 4636 wrote to memory of 5016	4636	cmd.exe	120
PID 4636 wrote to memory of 5016	4636	cmd.exe	120
PID 4636 wrote to memory of 4956	4636	cmd.exe	121
PID 4636 wrote to memory of 4956	4636	cmd.exe	121
PID 4636 wrote to memory of 428	4636	cmd.exe	122
PID 4636 wrote to memory of 428	4636	cmd.exe	122
PID 4636 wrote to memory of 1332	4636	cmd.exe	123
PID 4636 wrote to memory of 1332	4636	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\blackbird_v1.0.79.2_32\blackbird.exe
"C:\Users\Admin\AppData\Local\Temp\blackbird_v1.0.79.2_32\blackbird.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7520.tmp\7521.tmp\7522.bat C:\Users\Admin\AppData\Local\Temp\blackbird_v1.0.79.2_32\blackbird.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:4964
- - C:\Windows\system32\fltMC.exe
    fltmc
    3⤵
    PID:752
- - C:\Windows\system32\shutdown.exe
    shutdown /a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic /node:"SPDOHFMA" COMPUTERSYSTEM GET USERNAME | findstr /i "SPDOHFMA"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:"SPDOHFMA" COMPUTERSYSTEM GET USERNAME
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3700
  - - C:\Windows\system32\findstr.exe
      findstr /i "SPDOHFMA"
      4⤵
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\blackbirds_temp "
    3⤵
    PID:4268
- - C:\Windows\system32\findstr.exe
    findstr /i ".*\\blackbirds_temp"
    3⤵
    PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps; "
    3⤵
    PID:4476
- - C:\Windows\system32\findstr.exe
    findstr /i "powershell"
    3⤵
    PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con|findstr /n "^"|findstr /l /b /c:"5:"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\system32\mode.com
      mode con
      4⤵
      PID:5048
  - - C:\Windows\system32\findstr.exe
      findstr /n "^"
      4⤵
      PID:4216
  - - C:\Windows\system32\findstr.exe
      findstr /l /b /c:"5:"
      4⤵
      PID:3380
- - C:\Windows\system32\reg.exe
    reg query "HKCU\Control Panel\Desktop"
    3⤵
    PID:5044
- - C:\Windows\system32\findstr.exe
    findstr /ir "\<PreferredUILanguages.*REG_MULTI_SZ "
    3⤵
    PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage" | findstr /ir "\<InstallLanguage.*REG_SZ "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\System\ControlSet001\Control\Nls\Language" /v "InstallLanguage"
      4⤵
      PID:2404
  - - C:\Windows\system32\findstr.exe
      findstr /ir "\<InstallLanguage.*REG_SZ "
      4⤵
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_useraccount where name='Admin' get sid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_useraccount where name='Admin' get sid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\Program Files (x86)\" "
    3⤵
    PID:4840
- - C:\Windows\system32\findstr.exe
    findstr /irc:"NVIDIA Corporation"
    3⤵
    PID:3280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4016
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1112
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4956
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:428
- - C:\Windows\system32\findstr.exe
    findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4116
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2508
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:1552
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4864
- - C:\Windows\system32\findstr.exe
    findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3352
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2608
- - C:\Windows\system32\findstr.exe
    findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:388
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:808
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3292
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4032
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3084
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2544
- - C:\Windows\system32\findstr.exe
    findstr /a:60 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:2124
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1792
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:852
- - C:\Windows\system32\ROUTE.EXE
    route print
    3⤵
    PID:436
- - C:\Windows\system32\findstr.exe
    findstr /rc:".*255\.255\.255\.255.* 127\.0\.0\.0.* 1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\bird.ncfg.tmp"
    3⤵
    PID:2012
- - C:\Windows\system32\findstr.exe
    findstr /rc:".*0.* 1 .*\:.*\:.*\:.*/128$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\bird.ncfg.tmp"
    3⤵
    PID:3516
- - C:\Windows\system32\schtasks.exe
    schtasks /query /fo list
    3⤵
    PID:2812
- - C:\Windows\system32\findstr.exe
    findstr /vr ".*\\UpdateOrchestrator\\Schedule.*Scan$ .*\\USO_Broker_Display$ .*\\USO_UxBroker$ .*\\WinSAT$"
    3⤵
    PID:1972
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\Office 15 Subscription Heartbeat$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4240
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3700
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1704
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\AgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:404
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetry\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3032
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4136
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentFallBack2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:920
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1408
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Office\\OfficeTelemetryAgentLogOn2016$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1556
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\AppID\\SmartScreenSpecific$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3452
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3380
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Application Experience\\AitAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:5048
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Application Experience\\Microsoft Compatibility Appraiser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:452
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3356
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Application Experience\\StartupAppTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3188
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierDaily$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4580
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\AppUriVerifierInstall$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2140
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\ApplicationData\\DsSvcCleanup$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4564
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Autochk\\Proxy$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:776
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\CloudExperienceHost\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4840
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\BthSQM$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3280
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4324
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\HypervisorFlightingTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1628
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\KernelCeipTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3896
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\Uploader$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4796
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4464
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Device information\\Device$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4040
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Device Setup\\Metadata Refresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2624
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:428
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:556
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\DiskFootprint\\Diagnostics$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2740
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3728
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\End Of Support\\Notify2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:5056
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\EnableErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3200
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\ErrorDetails\\ErrorDetailsUpdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1684
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClient$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3872
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Feedback\\Siuf\\DmClientOnScenarioDownload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4864
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\FileHistory\\File History (maintenance mode)$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1236
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2744
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\IME\\SQM data sender$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3248
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\Installation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4224
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\LanguageComponentsInstaller\\ReconcileLanguageResources$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2240
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Location\\Notifications$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1084
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Maintenance\\WinSAT$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1624
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3240
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2920
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2312
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\ehDRMInit$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3496
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\InstallPlayReady$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3776
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\mcupdate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4400
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:5012
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4812
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURActivate$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1168
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\OCURDiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4288
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscovery$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3184
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1004
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4776
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4320
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\PvrScheduleTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4480
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\RegisterSearch$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4260
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\ReindexSearchRoot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3720
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3060
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Media Center\\UpdateRecordPath$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:116
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Mobile Broadband Accounts\\MNO Metadata Parser$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1972
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4072
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\NlaSvc\\WiFiTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3700
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\PerfTrack\\BackgroundConfigSurveyor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2256
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\PI\\Sqm-Tasks$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3008
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:640
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\LoginCheck$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3996
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\PushToInstall\\Registration$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:996
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:920
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1408
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackgroundUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3096
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\SettingSync\\BackupTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3380
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\SettingSync\\NetworkStateChangeTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:5048
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\launchtrayprocess$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3904
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2020
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\gwx\\refreshgwxconfigandcontent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:5004
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3356
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Logon-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4524
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:860
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\MachineUnlock-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2140
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4564
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfIdle-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:968
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3160
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\OutOfSleep-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4128
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\refreshgwxconfig-B$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1488
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Telemetry-4xd$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1564
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-10s$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4016
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Setup\\GWXTriggers\\Time-5d$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3472
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Shell\\CreateObjectTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4920
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitor$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4836
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyMonitorToastTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4040
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefresh$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2624
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyRefreshTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4488
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Shell\\FamilySafetyUpload$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2216
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\SideShow\\SessionAgent$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2380
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\SideShow\\SystemDataProviders$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3608
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:680
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Reboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1248
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4352
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:1920
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"
    3⤵
    PID:2816
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Disabled .*$"
    3⤵
    PID:1236
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_Broker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3076
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_RebootDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4224
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2240
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_Display$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:388
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_ReadyToReboot$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2956
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3240
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UpdateOrchestrator\\USO_WnfDisplay$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2920
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\UPnP\\UPnPHostConfig$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2312
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\User Profile Service\\HiveUploadTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3496
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\WaaSMedic\\PerformRemediation$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3776
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4400
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:5012
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3588
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\Windows\\WindowsUpdate\\sih$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4272
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTask$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:396
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\Microsoft\\XblGameSave\\XblGameSaveTaskLogon$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2084
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\OneDrive Standalone Update Task-S-1-5-21-711569230-3659488422-571408806-1000$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4304
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:4548
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\NvTmRep$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2012
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3516
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3680
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:2456
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:3060
- - C:\Windows\system32\findstr.exe
    findstr /irc:" \\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}$" "C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp"
    3⤵
    PID:116
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:1972
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\AarSvc$"
    3⤵
    PID:772
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\AarSvc
    3⤵
    PID:4268
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3700
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4640
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\AeLookupSvc$"
    3⤵
    PID:404
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:640
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\BcastDVRUserService$"
    3⤵
    PID:468
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BcastDVRUserService
    3⤵
    PID:996
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4792
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:1408
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\BluetoothUserService$"
    3⤵
    PID:636
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\BluetoothUserService
    3⤵
    - Modifies registry key
    PID:4704
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:5044
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3004
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\CaptureService$"
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CaptureService
    3⤵
    PID:4148
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:452
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4524
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\cbdhsvc$"
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc
    3⤵
    PID:2140
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3480
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:968
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\CDPSvc$"
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc
    3⤵
    PID:4324
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3128
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3896
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\CDPUserSvc$"
    3⤵
    PID:4016
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc
    3⤵
    PID:5016
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3960
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4832
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\cldflt$"
    3⤵
    PID:3260
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\cldflt
    3⤵
    PID:3696
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:428
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:2508
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\ConsentUxUserSvc$"
    3⤵
    PID:4296
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\ConsentUxUserSvc
    3⤵
    - Modifies registry key
    PID:2872
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3608
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:1684
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\CredentialEnrollmentManagerUserSvc$"
    3⤵
    PID:1248
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc
    3⤵
    PID:3708
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:2980
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DcpSvc$"
    3⤵
    PID:1236
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:544
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DeviceAssociationBrokerSvc$"
    3⤵
    PID:4224
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationBrokerSvc
    3⤵
    - Modifies registry key
    PID:808
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1084
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:2648
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DeviceAssociationService$"
    3⤵
    PID:2008
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationService
    3⤵
    PID:2664
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1368
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3496
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DevicePickerUserSvc$"
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DevicePickerUserSvc
    3⤵
    - Modifies registry key
    PID:1916
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4400
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:5060
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DevicesFlowUserSvc$"
    3⤵
    PID:3588
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc
    3⤵
    PID:3184
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:396
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:2084
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\diagnosticshub.standardcollector.service$"
    3⤵
    PID:4312
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service
    3⤵
    PID:4320
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4260
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\diagsvc$"
    3⤵
    PID:1884
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\diagsvc
    3⤵
    PID:4060
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2456
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:5112
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DiagTrack$"
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack
    3⤵
    PID:1892
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3720
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4072
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DmWapPushService$"
    3⤵
    PID:1608
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DmWapPushService
    3⤵
    - Modifies registry key
    PID:2256
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4544
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:3008
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DoSvc$"
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc
    3⤵
    PID:1868
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:640
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4216
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DPS$"
    3⤵
    PID:4108
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DPS
    3⤵
    - Modifies registry key
    PID:2584
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4900
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:1436
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\DsSvc$"
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\DsSvc
    3⤵
    PID:1364
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3748
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:2404
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\HPTouchpointAnalyticsService$"
    3⤵
    PID:3924
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4264
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\IEEtwCollectorService$"
    3⤵
    PID:3512
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3556
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\InstallService$"
    3⤵
    PID:1480
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\InstallService
    3⤵
    PID:1352
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1132
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:5024
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\iphlpsvc$"
    3⤵
    PID:4760
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
    3⤵
    - Modifies registry key
    PID:1960
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:2140
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\lfsvc$"
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\lfsvc
    3⤵
    - Modifies registry key
    PID:4840
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1540
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4936
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\lmhosts$"
    3⤵
    PID:1564
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\lmhosts
    3⤵
    - Modifies registry key
    PID:4764
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:1112
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\LxpSvc$"
    3⤵
    PID:1240
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\LxpSvc
    3⤵
    PID:1648
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1164
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4904
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\MessagingService$"
    3⤵
    PID:3260
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\MessagingService
    3⤵
    - Modifies registry key
    PID:4488
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:428
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:2380
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\MRxDAV$"
    3⤵
    PID:4296
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV
    3⤵
    - Modifies registry key
    PID:680
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3608
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:8
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\MRxSMB10$"
    3⤵
    PID:1248
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:2816
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\NcaSvc$"
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\NcaSvc
    3⤵
    PID:3552
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1172
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:2412
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\NetBT$"
    3⤵
    PID:3264
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\NetBT
    3⤵
    PID:2264
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2608
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:808
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\NetMsmqActivator$"
    3⤵
    PID:3580
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:3292
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\OneSyncSvc$"
    3⤵
    PID:4340
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc
    3⤵
    PID:2312
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4032
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3776
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\PcaSvc$"
    3⤵
    PID:3084
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc
    3⤵
    - Modifies registry key
    PID:2544
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4496
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\PimIndexMaintenanceSvc$"
    3⤵
    PID:2124
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc
    3⤵
    - Modifies registry key
    PID:3588
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1356
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4528
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\PrintWorkflowUserSvc$"
    3⤵
    PID:4776
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc
    3⤵
    PID:2012
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4548
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:5056
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\PushToInstall$"
    3⤵
    PID:3680
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\PushToInstall
    3⤵
    - Modifies registry key
    PID:1884
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2296
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4012
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\RemoteAccess$"
    3⤵
    PID:116
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess
    3⤵
    PID:5080
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4440
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:772
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\RemoteRegistry$"
    3⤵
    PID:1704
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
    3⤵
    - Modifies registry key
    PID:3700
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4448
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4544
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\RetailDemo$"
    3⤵
    PID:404
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\RetailDemo
    3⤵
    PID:1412
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:468
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:640
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\sgrmbroker$"
    3⤵
    PID:920
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\sgrmbroker
    3⤵
    PID:4108
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3832
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:636
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\shpamsvc$"
    3⤵
    PID:3096
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\shpamsvc
    3⤵
    PID:5044
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2332
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:5004
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\SmsRouter$"
    3⤵
    PID:3844
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter
    3⤵
    PID:3188
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3924
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4068
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\srv$"
    3⤵
    PID:3512
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:2344
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\SSDPSRV$"
    3⤵
    PID:1480
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
    3⤵
    PID:2420
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1132
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4524
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\StorSvc$"
    3⤵
    PID:4760
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\StorSvc
    3⤵
    - Modifies registry key
    PID:4564
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4428
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\TrkWks$"
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\TrkWks
    3⤵
    PID:2868
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:3128
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\tunnel$"
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\tunnel
    3⤵
    PID:4556
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3472
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4920
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\UevAgentService$"
    3⤵
    PID:5016
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UevAgentService
    3⤵
    - Modifies registry key
    PID:1648
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4040
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:556
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\UnistoreSvc$"
    3⤵
    PID:2624
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc
    3⤵
    PID:3728
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2508
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3080
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\upnphost$"
    3⤵
    PID:2380
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\upnphost
    3⤵
    - Modifies registry key
    PID:3872
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1684
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4864
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\UserDataSvc$"
    3⤵
    PID:8
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc
    3⤵
    - Modifies registry key
    PID:3508
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2816
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:228
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\VDWFP$"
    3⤵
    PID:3552
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3076
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\VisualDiscovery$"
    3⤵
    PID:2412
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4224
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\W32Time$"
    3⤵
    PID:1624
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:388
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WaaSMedicSvc$"
    3⤵
    PID:808
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc
    3⤵
    - Modifies registry key
    PID:2648
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3292
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:2664
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\wcncsvc$"
    3⤵
    PID:3916
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc
    3⤵
    - Modifies registry key
    PID:3776
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:2544
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WdiServiceHost$"
    3⤵
    PID:4228
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost
    3⤵
    PID:1168
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3184
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WdiSystemHost$"
    3⤵
    PID:4416
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost
    3⤵
    PID:4356
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4312
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4628
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WebClient$"
    3⤵
    PID:2012
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WebClient
    3⤵
    - Modifies registry key
    PID:3516
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1160
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:1884
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\wercplsupport$"
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport
    3⤵
    PID:2336
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:4780
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WerSvc$"
    3⤵
    PID:1972
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WerSvc
    3⤵
    PID:1932
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1608
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:3700
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WinHttpAutoProxySvc$"
    3⤵
    PID:3032
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc
    3⤵
    PID:4544
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:2480
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:1412
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WinRM$"
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WinRM
    3⤵
    - Modifies registry key
    PID:640
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:720
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:224
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\wisvc$"
    3⤵
    PID:3832
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wisvc
    3⤵
    PID:2504
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3096
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:1364
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\wlidsvc$"
    3⤵
    PID:2332
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc
    3⤵
    PID:2404
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3844
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4264
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WMPNetworkSvc$"
    3⤵
    PID:3924
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc
    3⤵
    - Modifies registry key
    PID:3556
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3512
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:2344
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WpnService$"
    3⤵
    PID:1040
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WpnService
    3⤵
    PID:2420
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4524
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\WpnUserService$"
    3⤵
    PID:4244
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService
    3⤵
    PID:4564
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:4128
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4428
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\xbgm$"
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:2868
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\XblAuthManager$"
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager
    3⤵
    PID:3128
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:1488
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:4956
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\XblGameSave$"
    3⤵
    PID:4796
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave
    3⤵
    - Modifies registry key
    PID:4920
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3960
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    - Modifies registry key
    PID:1164
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\XboxGipSvc$"
    3⤵
    PID:1332
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\XboxGipSvc
    3⤵
    PID:4904
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3400
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:428
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\XboxNetApiSvc$"
    3⤵
    PID:3200
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc
    3⤵
    - Modifies registry key
    PID:4056
- - C:\Windows\system32\findstr.exe
    findstr /irc:" start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:3764
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services
    3⤵
    PID:680
- - C:\Windows\system32\findstr.exe
    findstr /irc:".*\\services\\NvTelemetryContainer$"
    3⤵
    PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger" | findstr /v "ReadyBoot Defender EventLog- Status" | findstr /i ".*\\WMI\\Autologger\\.*"
    3⤵
    PID:4236
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger"
      4⤵
      PID:8
  - - C:\Windows\system32\findstr.exe
      findstr /v "ReadyBoot Defender EventLog- Status"
      4⤵
      PID:2672
  - - C:\Windows\system32\findstr.exe
      findstr /i ".*\\WMI\\Autologger\\.*"
      4⤵
      PID:4708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Cellcore"
    3⤵
    PID:2952
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:1236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger"
    3⤵
    PID:2980
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4720
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\CloudExperienceHostOobe"
    3⤵
    PID:1320
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DataMarket"
    3⤵
    PID:1748
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog"
    3⤵
    PID:2008
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener"
    3⤵
    PID:3496
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\HolographicDevice"
    3⤵
    PID:2476
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog"
    3⤵
    PID:4400
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Mellanox-Kernel"
    3⤵
    PID:1792
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-AssignedAccess-Trace"
    3⤵
    PID:2084
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:1328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace"
    3⤵
    PID:4304
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup"
    3⤵
    PID:4572
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER"
    3⤵
    PID:3976
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NetCore"
    3⤵
    PID:5056
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog"
    3⤵
    PID:2296
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:1128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog"
    3⤵
    PID:2336
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:2180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RadioMgr"
    3⤵
    PID:5080
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog"
    3⤵
    PID:1932
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatform"
    3⤵
    PID:3008
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatformTel"
    3⤵
    PID:404
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SpoolerLogger"
    3⤵
    PID:996
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger"
    3⤵
    PID:5116
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:1408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER"
    3⤵
    PID:640
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TileStore"
    3⤵
    PID:3832
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:5044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm"
    3⤵
    PID:4000
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM"
    3⤵
    PID:396
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:2332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog"
    3⤵
    PID:3188
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace"
    3⤵
    PID:4068
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSession"
    3⤵
    PID:4188
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:3512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSessionRepro"
    3⤵
    PID:528
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:1040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiSession"
    3⤵
    PID:1556
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WinPhoneCritical"
    3⤵
    PID:1396
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x1$"
    3⤵
    PID:4244
- - C:\Windows\system32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo
    3⤵
    PID:3160
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Id .*REG_SZ .*null$"
    3⤵
    PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4428
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3896
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3128
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2576
- - C:\Windows\system32\findstr.exe
    findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:1052
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4116
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:2216
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2508
- - C:\Windows\system32\findstr.exe
    findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:2380
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3352
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:5020
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:8
- - C:\Windows\system32\findstr.exe
    findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4888
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2608
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:2772
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3580
- - C:\Windows\system32\findstr.exe
    findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3292
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4824
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:5012
- - C:\Windows\system32\findstr.exe
    findstr /a:0f "." "/.\'" nul
    3⤵
    PID:3804
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:2124
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4272
- - C:\Windows\system32\findstr.exe
    findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4776
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4480
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4020
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3680
- - C:\Windows\system32\findstr.exe
    findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4012
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4924
- - C:\Windows\system32\findstr.exe
    findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:1972
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1704
- - C:\Windows\system32\findstr.exe
    findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3032
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3996
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:404
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    3⤵
    - Modifies registry key
    PID:1412
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x4$"
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:1436
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2504
- - C:\Windows\system32\findstr.exe
    findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1364
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    3⤵
    PID:3548
- - C:\Windows\system32\findstr.exe
    findstr /irc:" Start .*REG_DWORD .*0x[1-3]$"
    3⤵
    PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3144
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3844
- - C:\Windows\system32\findstr.exe
    findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:1088
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3512
- - C:\Windows\system32\findstr.exe
    findstr /a:0e /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:1532
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:3280
- - C:\Windows\system32\findstr.exe
    findstr /a:0c /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3160
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2812
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4764
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1488
- - C:\Windows\system32\findstr.exe
    findstr /a:4f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3560
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1648
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:556
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2740
- - C:\Windows\system32\findstr.exe
    findstr /a:3f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4800
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4592
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:4352
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1248
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:5020
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:8
- - C:\Windows\system32\findstr.exe
    findstr /a:06 /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
    3⤵
    PID:3248
- - C:\Windows\system32\subst.exe
    subst ': "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:2980
- - C:\Windows\system32\findstr.exe
    findstr /a:0f /f:C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp "."
    3⤵
    PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\7520.tmp\7521.tmp\7522.bat" "C:\Users\Admin\AppData\Local\Temp\7520.tmp\7521.tmp\7522.bat" 2>NUL
    3⤵
    PID:1428
  - - C:\Windows\system32\xcopy.exe
      xcopy /L /w "C:\Users\Admin\AppData\Local\Temp\7520.tmp\7521.tmp\7522.bat" "C:\Users\Admin\AppData\Local\Temp\7520.tmp\7521.tmp\7522.bat"
      4⤵
      PID:2772

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:2272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\'

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7520.tmp\7521.tmp\7522.bat

Filesize
477KB

MD5
18bf350d5529733ceaf91f896d3db5d4

SHA1
232615ca62e6e7be0d1f90123db6d4aaaef0270a

SHA256
bd4d80a2469ca58be831618b580ec03754fb27056ab04ef25a550b892f5a43f9

SHA512
eb5972d4acdc0f825b5ca2eebd353b72854b0abee01957db1d178bfa68727a6916c2a6ea5d31b0012014c93057a55e0d537f02649fc02ea0f29f78c348c16f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
32B

MD5
3c0e051cae923ef7acf4d09afdfd0427

SHA1
a7c7b28c1f749cf9e1514c9d2198b7c08ceb5d05

SHA256
823762c92e56396a66bbcac80faa9a3f52f7b05351dbd43369a22dad8c38d010

SHA512
0b6192ca85587a765591409900ac45c333f600ed08f4dc1a10993317d6d048cd0beb05981109b738fe5527fd92e5ee2d819d273f55bf0c5c49e594a5966abee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
12B

MD5
8f5514b0d0a36c97a857045ddafdc470

SHA1
8bafee96d2fe769dffe498dc9bfdf7b368dc372d

SHA256
7be9179f16b374c695631903088b38e99028efd268964591bcd48e2fbda9b540

SHA512
a60eb26642bb8c27a4dc6cb41cdae14ed1cf4a1a5653637849cab585e7fefac2f44e03e741e24a8ff3b48fb74bab248900d4b11726ab4495a572b353e5f4b673

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
11B

MD5
8da145462f785db926f4289d0a9c2fdb

SHA1
32c2bd035bdc95f1d3c7ed4850545004653eb1ed

SHA256
2556082038f3a5bd5752b774971e7a5744a5f7a17452277ef46b215c73de2132

SHA512
958fc6e754036bba5cdee1638639586ccde6b3adc6deadc5c8ac1cf10e8a06db9d3c44d13957eab0ca2d31ba70adfdac5e6be6616ebc1d109a91b27700044caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
10B

MD5
28b4ffd6efb374469609c1d8fba31c4d

SHA1
6e70d8ce6a3d22c3f8e1ed7aa5b70556712331f8

SHA256
b0eacbaca80bce3d73d60c5ee14e219573474fcf9c94a269e61746b09f6e1fba

SHA512
88ff8492390e577770f1a47d773c981b2f662962d37f6ad43eec40571442dd0c9300f88af51e5dc91fa62274e8498c4d2b8106ef910af7eb8299fd69268dac0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
9B

MD5
1e930993fa6581249e4c13726d1cb09d

SHA1
f34f88fddcea971d4ee8cfd27b18f62fd11f5df2

SHA256
cd8746fce7c39374e2612724cb78ba4d6d8bf9a326d0804f464516039c7a482f

SHA512
b918c8360e8d5b998e8e92ec2e075dab749c0faabb3a652d3c92338985f01912664d0828b9cb061786b32ce875d1bd718baccdf32c7553ccda15dbdc3216883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
10B

MD5
f59c8225d45fea0c2f3ac81076972e64

SHA1
eab8e70c711290d71e86aad0de22bbc470f0272c

SHA256
969df9f0b907b29ea0c707e677b3cfccc845eeb9c79a0f876ccc3c0a19f49aa0

SHA512
d3783e7f962b14af39274a5fe3dfdf0b9c05dfd2c9142686c4b68af6dc6d6c558ef39996ed047696224294e09b2ef9fe8916d9afe1ce73ea85572f6d4f4ef67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
48B

MD5
91418fff4aedc3c32effe9e134de31c7

SHA1
9e399d8a14d2848736e3e79d9768f9384ffdfaf0

SHA256
c146fe1ea70d4f8919324ebf2e05386a081365b006f14fa7d4de18e16b08b7b8

SHA512
611f10e011b458a77bf94b5cfb0f7f5a8095df46f2e41db491ae7407264acd059cc728cb1837ab0274c481b6dd7e156f45608450ab707036310acd9fcee00349

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
23B

MD5
5c02a241e6b6245db970e3b8c4f920f6

SHA1
5fd848ba1eb006b83c8d6ff137ce38744467c754

SHA256
a93da3abafeb9ccd372d0b6b615bfbb2552702c8b0257cfe87eab457a0784e88

SHA512
42b873204be75fe8ccb72d31f832ecc586f29a77887ef9f892bd9e36fb173e14eadf20e99a79b3eedc51f14c2a72e5fa449f2f72b6b7c47a015ee46579b7d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
16B

MD5
895a0daf7b940b42995bac035f6aa760

SHA1
2967056a9564c16499bcf05268deafc5bf06a638

SHA256
1806ba86bced65b258db86fd275c980c3693d2fdad9bc2b3e0fd24264da261d4

SHA512
e2b1dbf4f1c8138210e335e71676b040d3f279972661b0c1263dbde90861f4c923bd9209b96e26121d7085eb50577c86b9685aafc3cfbab635d1b0fa3ca7ccb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
63B

MD5
1a08906d9cb38b3857583b9a560ee30f

SHA1
76c5dfcd12a1d0456bbee9b8c013aa93b1a1578e

SHA256
d35d3820163551eba37375f91d3247932ca0121540c2a6f226d12c56cdbc9b5c

SHA512
5769cf5b4498f63a6a34fcd92b7d9d5c4e8d4b4e3a0f1b35a65139f903880958a5103e4d9b20695048b10624fc16ca8c5485a4e31e6c046780545e9c832a5375

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
10B

MD5
cf0e6212974313466638c2ee46fb0d0f

SHA1
e59d48fb0dd400f65d62f542b554b0157adb7735

SHA256
6f64b34df0d4a3cde3050a75636f79354f5c800e0fbf50d6456a371b63926120

SHA512
4e2f23238b889f84b59e0d83b5ef2e3981bbfa4506f114b2e53986eae7cb0a028c59ed6f039428be0dbea67df6de454c611ee4016f3327ce88cab7bd63172395

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
38B

MD5
3884887f65745965da0fe42ff68e8e46

SHA1
5001b2948c288653e16248f8761b4c9ed8900044

SHA256
08b46b6d09e7678b034b1ccf96a366f71d001127554bef9fd97fff7873beda99

SHA512
9ed3406b7272eee3a13731f1649e1fd2f3273f472f5dc192e749afd0ac5e4f4f7d46d4447212b880f8730bb3b46bf0c842d3648a6101f1493b7a111b72e09788

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
8B

MD5
69fbb26c1d8f4df2a309f9cf88340928

SHA1
990792f5db60f5a27fed21303039459dca6cc877

SHA256
fbfaac26f2d0240a0764407c4848e8989b09855988f63023b4b0faec9970d929

SHA512
7c60adc20b4df64f34c1e727d650de14509bd1033e86c22729de4eb958ae92e14cdb920a902f8605f21b23c714b34017454c89db352d0f299b019283388367b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
32B

MD5
4e13bc2227bf31265b8db09593cb3657

SHA1
85ad3efe4613e7a37d697b9a72e0bc1bcbda1c57

SHA256
037dc57dd95d18bf446bfc091c84df9659c83ec31a2bf28332833a2af902d10c

SHA512
c699d077d94a6b37239dc2da072f62f947bd140d7be9b8ccb3338fe101dfb9aff07b99aa2b924e20df1a99abf4f18089ce1d9d9c16fdd5d0468d1e8f24cdbf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
19B

MD5
943471f039cb82d7e5a146f2397807c3

SHA1
fc5d5e2f5bd4caf930ae823a080754b3bc3c8d2e

SHA256
92eddbb3afb6348f90603b48a65b7e3d300b525107b5d6299b5738d2517d4dff

SHA512
25dec352d18b6263ffefaadf8f5acb0509a4a437425a8d9af96623696f7d6db5d1f9bc6197ecfffbbfad10c045ab5a6f71ba074d45e9d1388fac40533bbb4b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
29B

MD5
a81cced386011e782b43c0d3251b560b

SHA1
6b7d165226b6a6a9c09c114917d6f7b70ed3d52b

SHA256
aa03808fa7d3d597c9532b62ac48a55e5796cc947fedc98becb5e41f15f8e2e9

SHA512
215273e2c7f2dee477cf55db257cf91b6c9666ab21d8cb07f273371239bc267b8ef634ca9ea396fe4252351fe64f60eac436faedab1bd8d2d78234cf3fa95608

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
32B

MD5
266b2aabcd30d0afd83540daae99a22b

SHA1
6e94ebdc327d1581eab746c27cfe816948c38ab7

SHA256
6921ef6e2f742568023da2ec7bb3eb0e0b0d85820c1471a0c95c959dac19c8be

SHA512
738cf6d936301f1b049e934710002432b6a2689aceaeb3be80b6dbcb41deadf553d83fa7ea8851234e6917e1582da6545aaf22b0e31e0c5baa9144e68bea4051

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
32B

MD5
970785299fcc92ab24103af56c64cfd3

SHA1
72a8bada2a8aa69634c5b7ac2bb850c8ef3f3d48

SHA256
59204b27e2569e9c5a481af3886abe6bc4b8dda6a450102b84612e72a90f151c

SHA512
93dbf4989db1e7cf5fda8ff02ebd2eacc4ae74142ddd328a103c3034724eea04621777dc742a6a347bad91468b4890675efddc8024f05a35eb9f13dd7c73dc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
32B

MD5
f8263a827d2cc8ecee893b3051f0f0d4

SHA1
927bb7b2dfa41097a016aedb3c8741373f439787

SHA256
1c5ac8e25fd1e5848d752fde2b7e5b1a418b1e896c7324006025942734a3052f

SHA512
d18abbd486ef475cb71e3eb483992d88324a495cea6e7eefbc95d940ec46dfe108d40c5bc0b92052c1fd2d0a873648571d490cad8994506dc5369a8f196373cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
20B

MD5
8d0147ec334f4b2567029dfce703fcde

SHA1
b1821df7c08d996d0d4fd09165ba2c6e2b2ecc24

SHA256
a4307857231aad4e1ad6c49fd5cc4e5ecaa593cf671fbe48c3002e4fa604fdf2

SHA512
6e3d14675079e0c5869a1879c5a33e8082b2ad90a716fe9f6d66a660a40ee110935c0bbb668b8bf4c190e9fb28582d6c4e9942b04c7a30417323dafe2146aeea

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
18B

MD5
c82a9ecd14c067e8a52e2ae041d5790f

SHA1
9491863a587f01917a6de13235721f769f4ecbf9

SHA256
db036483e8b88559a05534170f842bf0339f6f258122845568345ec8e4402782

SHA512
127ab799d673ad3ec8d2ed7e9fff5758ed241b1be6c3039c499385b35dc9f7db007d92477c905995da69b7f4679ef528352f5ea2978e23bc2f4017dbdbdf4b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
20B

MD5
599f806a626dda2fa2cbc755e98b5bb4

SHA1
30d69b664f0eb40102a1de9dc34e7a2fa33f21e5

SHA256
702ef14a4166667a42ee50f5a04298c951ba7464653e04ea04a6610386ac6c33

SHA512
318a531b6991ec1bebc21ded11555c3043e6674eb68b11218aa47ac4782463c3e8d58620a5b6d69860a659ac383cd3cc404fc659c85c839ecbba7f30b9fb981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
32B

MD5
0efa62e28f946112649b917f19e96c90

SHA1
be33e7fb85194a025460bf9dabd7236e7935e7ba

SHA256
6ac5c33ccc6b9db0424c3c38acda4ee0aacf21155aef111857f4889080c93400

SHA512
6497b3aea9d35fbbbf87f8253e61442e590f3a432ed53e166aa3d14c9d54afd73da0b1b44850b6f6e00674e427b818dafaa1c463057be0f5baba0d9edcf962d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
9B

MD5
44f81b751ab0e430f91039661badb994

SHA1
8c6c0a80f9545745bccb1dc60208e90954c025ec

SHA256
c9061f8a635d7b49893673b6c69d3c400972e45f221f698efde216d476f9387e

SHA512
e5dd78db2bab945bcbb56242579e82ea670033410f48f22c5dd52621db1811be2c7e1dc134ab563355113e437b536a8e5abf931fa700705721a89172a5e1aa8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
8B

MD5
9e5bc90abc2d668ec0edeafd847a367c

SHA1
f12743d1f5407546eb70c162d53d6a05870b680f

SHA256
ea94e743be9a8e6c294bccf4f3f7bd0a0f459aecb6d272098e91eab3fade3a23

SHA512
17f5ad246b0d93e7f3d51227797ac6f0a380799a688c8dd1ab233d82938d1b21c86a2a256e42e6814d3efed24252101f4082c056bd17366a1a70aad7aa090649

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbird-gui.tmp

Filesize
23B

MD5
e75b24a3f3a9a5e65ee890cc95be6949

SHA1
89b90b0251baa77a186d00ef3e8ffc76edd65aba

SHA256
5b0e23aef6a89ee46f0b96fc8a820dc9feca59ff3c2a49b1979f692796a4c9d7

SHA512
3887322d4f485379980c4130d3109824fe54558e3836bf68fe01d1842b5cc5acda726b8fc4a70d7f2df5e00ba329061eb2e606bd3a2d956974675f873777d0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\bird.ncfg.tmp

Filesize
2KB

MD5
ec5c5e3b5b1aeb5d441a6c4f476711dd

SHA1
5810ab2cea9fdbbee9f78e06d33800cb704a52c2

SHA256
7fdb0acb1fa2f30b3472d671fe3e5f2f6d2aef283b6ba99fa181d0b27df1e9db

SHA512
0088d4d90427e280b7f3aeed4c244c8ca6c8c24ed238ee30033750b4260d9870f6741291fde4bf8c71afd3214ed8a24ca880e33b4328de7073c93ecc860e522f

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackbirds_temp\blackbird.tempsch_raw.tmp

Filesize
3KB

MD5
fc5170e326437fc85b49dd71e02fad0f

SHA1
95fa02fb407a780378652e3d7194b3d19fe8ba34

SHA256
7bb8f7b995e804d26fab37d3db1ef7ae5b4efd4b96b8fb0e942e033206d32ea7

SHA512
8eb259425b005590634840821cd4a50fb680c3e6ecbf65363decbcf24d56985e3b924d221c074956665f18886b56aaf2a2a57caca816d87c3de5a499fff918dd

Download Submit
memory/5072-0-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/5072-42-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download