d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25/04/2023, 20:18

230425-y3j7yscg23 10

Analysis

max time kernel
510s
max time network
514s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executables/FINALIZE.cmd
Size

10KB
MD5

65b5ea0e86c52c2919c2cd6f6eb89747
SHA1

1d959f9373947c04904e59c57e7e695ec0878f89
SHA256

8d2fa62bf65c4d77677d10d558fd2fb17afcdf19b9408ceac678746d2b92cedc
SHA512

ca738cd11043c4e6afde9ffb4afda28d1ff56f0dba9359fb5892c2c26153d4444681c4cbafc89ec208ccd866ad58e3cbc1157aca320e69841075afc589bd1e45
SSDEEP

192:pxSeJHItmmxUXvP519sCHSFvVFC7nl4ILoJ77tR0/bF7MlWWgEVVmgOcMEeRtk3v:pxSeJHIK519VyFvMlUIXWpwxrVJMb

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
636	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4928	taskkill.exe
4920	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1352	powershell.exe
1352	powershell.exe
3356	powershell.exe
3356	powershell.exe
4860	powershell.exe
4860	powershell.exe
968	powershell.exe
968	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	812	WMIC.exe
Token: SeSecurityPrivilege	812	WMIC.exe
Token: SeTakeOwnershipPrivilege	812	WMIC.exe
Token: SeLoadDriverPrivilege	812	WMIC.exe
Token: SeSystemProfilePrivilege	812	WMIC.exe
Token: SeSystemtimePrivilege	812	WMIC.exe
Token: SeProfSingleProcessPrivilege	812	WMIC.exe
Token: SeIncBasePriorityPrivilege	812	WMIC.exe
Token: SeCreatePagefilePrivilege	812	WMIC.exe
Token: SeBackupPrivilege	812	WMIC.exe
Token: SeRestorePrivilege	812	WMIC.exe
Token: SeShutdownPrivilege	812	WMIC.exe
Token: SeDebugPrivilege	812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	812	WMIC.exe
Token: SeRemoteShutdownPrivilege	812	WMIC.exe
Token: SeUndockPrivilege	812	WMIC.exe
Token: SeManageVolumePrivilege	812	WMIC.exe
Token: 33	812	WMIC.exe
Token: 34	812	WMIC.exe
Token: 35	812	WMIC.exe
Token: 36	812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	812	WMIC.exe
Token: SeSecurityPrivilege	812	WMIC.exe
Token: SeTakeOwnershipPrivilege	812	WMIC.exe
Token: SeLoadDriverPrivilege	812	WMIC.exe
Token: SeSystemProfilePrivilege	812	WMIC.exe
Token: SeSystemtimePrivilege	812	WMIC.exe
Token: SeProfSingleProcessPrivilege	812	WMIC.exe
Token: SeIncBasePriorityPrivilege	812	WMIC.exe
Token: SeCreatePagefilePrivilege	812	WMIC.exe
Token: SeBackupPrivilege	812	WMIC.exe
Token: SeRestorePrivilege	812	WMIC.exe
Token: SeShutdownPrivilege	812	WMIC.exe
Token: SeDebugPrivilege	812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	812	WMIC.exe
Token: SeRemoteShutdownPrivilege	812	WMIC.exe
Token: SeUndockPrivilege	812	WMIC.exe
Token: SeManageVolumePrivilege	812	WMIC.exe
Token: 33	812	WMIC.exe
Token: 34	812	WMIC.exe
Token: 35	812	WMIC.exe
Token: 36	812	WMIC.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemProfilePrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeProfSingleProcessPrivilege	4116	WMIC.exe
Token: SeIncBasePriorityPrivilege	4116	WMIC.exe
Token: SeCreatePagefilePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe
Token: SeDebugPrivilege	4116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4116	WMIC.exe
Token: SeRemoteShutdownPrivilege	4116	WMIC.exe
Token: SeUndockPrivilege	4116	WMIC.exe
Token: SeManageVolumePrivilege	4116	WMIC.exe
Token: 33	4116	WMIC.exe
Token: 34	4116	WMIC.exe
Token: 35	4116	WMIC.exe
Token: 36	4116	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 912	1404	cmd.exe	83
PID 1404 wrote to memory of 912	1404	cmd.exe	83
PID 912 wrote to memory of 812	912	cmd.exe	84
PID 912 wrote to memory of 812	912	cmd.exe	84
PID 912 wrote to memory of 1524	912	cmd.exe	85
PID 912 wrote to memory of 1524	912	cmd.exe	85
PID 1404 wrote to memory of 2252	1404	cmd.exe	86
PID 1404 wrote to memory of 2252	1404	cmd.exe	86
PID 1404 wrote to memory of 2196	1404	cmd.exe	87
PID 1404 wrote to memory of 2196	1404	cmd.exe	87
PID 1404 wrote to memory of 1532	1404	cmd.exe	88
PID 1404 wrote to memory of 1532	1404	cmd.exe	88
PID 1532 wrote to memory of 1352	1532	cmd.exe	89
PID 1532 wrote to memory of 1352	1532	cmd.exe	89
PID 1404 wrote to memory of 2168	1404	cmd.exe	90
PID 1404 wrote to memory of 2168	1404	cmd.exe	90
PID 2168 wrote to memory of 4116	2168	cmd.exe	91
PID 2168 wrote to memory of 4116	2168	cmd.exe	91
PID 2168 wrote to memory of 4832	2168	cmd.exe	92
PID 2168 wrote to memory of 4832	2168	cmd.exe	92
PID 1404 wrote to memory of 312	1404	cmd.exe	93
PID 1404 wrote to memory of 312	1404	cmd.exe	93
PID 312 wrote to memory of 3956	312	cmd.exe	94
PID 312 wrote to memory of 3956	312	cmd.exe	94
PID 312 wrote to memory of 5008	312	cmd.exe	95
PID 312 wrote to memory of 5008	312	cmd.exe	95
PID 1404 wrote to memory of 2132	1404	cmd.exe	96
PID 1404 wrote to memory of 2132	1404	cmd.exe	96
PID 1404 wrote to memory of 752	1404	cmd.exe	97
PID 1404 wrote to memory of 752	1404	cmd.exe	97
PID 1404 wrote to memory of 4396	1404	cmd.exe	98
PID 1404 wrote to memory of 4396	1404	cmd.exe	98
PID 4396 wrote to memory of 3688	4396	cmd.exe	99
PID 4396 wrote to memory of 3688	4396	cmd.exe	99
PID 4396 wrote to memory of 2080	4396	cmd.exe	100
PID 4396 wrote to memory of 2080	4396	cmd.exe	100
PID 1404 wrote to memory of 2296	1404	cmd.exe	101
PID 1404 wrote to memory of 2296	1404	cmd.exe	101
PID 1404 wrote to memory of 4612	1404	cmd.exe	102
PID 1404 wrote to memory of 4612	1404	cmd.exe	102
PID 1404 wrote to memory of 3464	1404	cmd.exe	103
PID 1404 wrote to memory of 3464	1404	cmd.exe	103
PID 1404 wrote to memory of 4508	1404	cmd.exe	104
PID 1404 wrote to memory of 4508	1404	cmd.exe	104
PID 1404 wrote to memory of 3628	1404	cmd.exe	105
PID 1404 wrote to memory of 3628	1404	cmd.exe	105
PID 3628 wrote to memory of 4200	3628	cmd.exe	106
PID 3628 wrote to memory of 4200	3628	cmd.exe	106
PID 3628 wrote to memory of 3524	3628	cmd.exe	107
PID 3628 wrote to memory of 3524	3628	cmd.exe	107
PID 1404 wrote to memory of 3480	1404	cmd.exe	115
PID 1404 wrote to memory of 3480	1404	cmd.exe	115
PID 1404 wrote to memory of 3760	1404	cmd.exe	116
PID 1404 wrote to memory of 3760	1404	cmd.exe	116
PID 1404 wrote to memory of 4224	1404	cmd.exe	117
PID 1404 wrote to memory of 4224	1404	cmd.exe	117
PID 1404 wrote to memory of 2800	1404	cmd.exe	118
PID 1404 wrote to memory of 2800	1404	cmd.exe	118
PID 1404 wrote to memory of 3244	1404	cmd.exe	119
PID 1404 wrote to memory of 3244	1404	cmd.exe	119
PID 3244 wrote to memory of 1420	3244	cmd.exe	120
PID 3244 wrote to memory of 1420	3244	cmd.exe	120
PID 3244 wrote to memory of 3732	3244	cmd.exe	121
PID 3244 wrote to memory of 3732	3244	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2596	attrib.exe
1452	attrib.exe
2632	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\FINALIZE.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID | findstr /l "PCI\VEN_"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\system32\findstr.exe
    findstr /l "PCI\VEN_"
    3⤵
    PID:1524
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerShell -NoP -C "Get-WmiObject -Class Win32_PnPEntity | Where-Object {$_.PNPClass -eq 'SCSIAdapter'} | Where-Object { $_.PNPDeviceID -like 'PCI\VEN_*' } | Select-Object -ExpandProperty DeviceID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoP -C "Get-WmiObject -Class Win32_PnPEntity | Where-Object {$_.PNPClass -eq 'SCSIAdapter'} | Where-Object { $_.PNPDeviceID -like 'PCI\VEN_*' } | Select-Object -ExpandProperty DeviceID"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_SoundDevice get PNPDeviceID | findstr /l "PCI\VEN_"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_SoundDevice get PNPDeviceID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\system32\findstr.exe
    findstr /l "PCI\VEN_"
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_USBController get PNPDeviceID | findstr /l "PCI\VEN_"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_USBController get PNPDeviceID
    3⤵
    PID:3956
- - C:\Windows\system32\findstr.exe
    findstr /l "PCI\VEN_"
    3⤵
    PID:5008
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2132
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID | findstr /l "PCI\VEN_"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_VideoController get PNPDeviceID
    3⤵
    PID:3688
- - C:\Windows\system32\findstr.exe
    findstr /l "PCI\VEN_"
    3⤵
    PID:2080
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
  2⤵
  PID:4612
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get manufacturer /format:value
  2⤵
  PID:3464
- C:\Windows\system32\findstr.exe
  findstr /i /c:VMWare
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible" | find /i "Services\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible"
    3⤵
    - Maps connected drives based on registry
    PID:4200
- - C:\Windows\system32\find.exe
    find /i "Services\"
    3⤵
    PID:3524
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:3480
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:3760
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:4224
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions" | findstr "HKEY"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"
    3⤵
    PID:1420
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3732
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{140bc9a1-e28b-4c69-95c9-8f3d77de2e22}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f
  2⤵
  PID:3420
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{c825f375-36d2-40fe-a917-4437c6b7732d}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f
  2⤵
  PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get GUID | findstr "{"
  2⤵
  PID:556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get GUID
    3⤵
    PID:4104
- - C:\Windows\system32\findstr.exe
    findstr "{"
    3⤵
    PID:3764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{140BC9A1-E28B-4C69-95C9-8F3D77DE2E22}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
  2⤵
  PID:4812
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{140BC9A1-E28B-4C69-95C9-8F3D77DE2E22}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{140BC9A1-E28B-4C69-95C9-8F3D77DE2E22}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
  2⤵
  PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter get PNPDeviceID| findstr /L "PCI\VEN_"
  2⤵
  PID:392
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:2968
- - C:\Windows\system32\findstr.exe
    findstr /L "PCI\VEN_"
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18" /v "Driver"
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18" /v "Driver"
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AdvancedEEE" | findstr "HKEY"
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AdvancedEEE"
    3⤵
    PID:1784
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AdvancedEEE" | findstr "HKEY"
  2⤵
  PID:508
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AdvancedEEE"
    3⤵
    PID:2212
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AlternateSemaphoreDelay" | findstr "HKEY"
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AlternateSemaphoreDelay"
    3⤵
    PID:1744
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AlternateSemaphoreDelay" | findstr "HKEY"
  2⤵
  PID:4264
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AlternateSemaphoreDelay"
    3⤵
    PID:3268
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ApCompatMode" | findstr "HKEY"
  2⤵
  PID:1356
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ApCompatMode"
    3⤵
    PID:1352
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ApCompatMode" | findstr "HKEY"
  2⤵
  PID:3916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ApCompatMode"
    3⤵
    PID:4832
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ARPOffloadEnable" | findstr "HKEY"
  2⤵
  PID:3488
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ARPOffloadEnable"
    3⤵
    PID:984
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ARPOffloadEnable" | findstr "HKEY"
  2⤵
  PID:312
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ARPOffloadEnable"
    3⤵
    PID:2132
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoDisableGigabit" | findstr "HKEY"
  2⤵
  PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoDisableGigabit"
    3⤵
    PID:3688
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AutoDisableGigabit" | findstr "HKEY"
  2⤵
  PID:4396
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AutoDisableGigabit"
    3⤵
    PID:2296
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoPowerSaveModeEnabled" | findstr "HKEY"
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoPowerSaveModeEnabled"
    3⤵
    PID:2908
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AutoPowerSaveModeEnabled" | findstr "HKEY"
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*AutoPowerSaveModeEnabled"
    3⤵
    PID:1448
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "bAdvancedLPs" | findstr "HKEY"
  2⤵
  PID:2704
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "bAdvancedLPs"
    3⤵
    PID:2396
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*bAdvancedLPs" | findstr "HKEY"
  2⤵
  PID:4720
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*bAdvancedLPs"
    3⤵
    PID:3624
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "bLeisurePs" | findstr "HKEY"
  2⤵
  PID:3272
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "bLeisurePs"
    3⤵
    PID:1976
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*bLeisurePs" | findstr "HKEY"
  2⤵
  PID:3668
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*bLeisurePs"
    3⤵
    PID:4824
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "bLowPowerEnable" | findstr "HKEY"
  2⤵
  PID:1360
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "bLowPowerEnable"
    3⤵
    PID:540
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*bLowPowerEnable" | findstr "HKEY"
  2⤵
  PID:5004
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*bLowPowerEnable"
    3⤵
    PID:4212
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "DeviceSleepOnDisconnect" | findstr "HKEY"
  2⤵
  PID:2184
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "DeviceSleepOnDisconnect"
    3⤵
    PID:4732
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*DeviceSleepOnDisconnect" | findstr "HKEY"
  2⤵
  PID:4916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*DeviceSleepOnDisconnect"
    3⤵
    PID:4404
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "DMACoalescing" | findstr "HKEY"
  2⤵
  PID:4724
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "DMACoalescing"
    3⤵
    PID:632
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*DMACoalescing" | findstr "HKEY"
  2⤵
  PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*DMACoalescing"
    3⤵
    PID:4460
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EEE" | findstr "HKEY"
  2⤵
  PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EEE"
    3⤵
    PID:528
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EEE" | findstr "HKEY"
  2⤵
  PID:4756
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EEE"
    3⤵
    PID:4232
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EEELinkAdvertisement" | findstr "HKEY"
  2⤵
  PID:4952
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EEELinkAdvertisement"
    3⤵
    PID:4904
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EEELinkAdvertisement" | findstr "HKEY"
  2⤵
  PID:3784
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EEELinkAdvertisement"
    3⤵
    PID:4504
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EeePhyEnable" | findstr "HKEY"
  2⤵
  PID:3768
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EeePhyEnable"
    3⤵
    PID:4316
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EeePhyEnable" | findstr "HKEY"
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EeePhyEnable"
    3⤵
    PID:4880
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Enable9KJFTpt" | findstr "HKEY"
  2⤵
  PID:2408
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Enable9KJFTpt"
    3⤵
    PID:1420
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Enable9KJFTpt" | findstr "HKEY"
  2⤵
  PID:4492
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Enable9KJFTpt"
    3⤵
    PID:4932
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableConnectedPowerGating" | findstr "HKEY"
  2⤵
  PID:4680
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3728
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableConnectedPowerGating"
    3⤵
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableConnectedPowerGating" | findstr "HKEY"
  2⤵
  PID:4836
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableConnectedPowerGating"
    3⤵
    PID:4852
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableDynamicPowerGating" | findstr "HKEY"
  2⤵
  PID:4896
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1684
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableDynamicPowerGating"
    3⤵
    PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableDynamicPowerGating" | findstr "HKEY"
  2⤵
  PID:3544
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableDynamicPowerGating"
    3⤵
    PID:2240
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableEDT" | findstr "HKEY"
  2⤵
  PID:4376
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableEDT"
    3⤵
    PID:2836
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableEDT" | findstr "HKEY"
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableGreenEthernet" | findstr "HKEY"
  2⤵
  PID:2516
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableGreenEthernet"
    3⤵
    PID:4416
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableGreenEthernet" | findstr "HKEY"
  2⤵
  PID:4392
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableGreenEthernet"
    3⤵
    PID:1520
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableModernStandby" | findstr "HKEY"
  2⤵
  PID:180
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableModernStandby"
    3⤵
    PID:216
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableModernStandby" | findstr "HKEY"
  2⤵
  PID:2168
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableModernStandby"
    3⤵
    PID:2316
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePME" | findstr "HKEY"
  2⤵
  PID:3392
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePME"
    3⤵
    PID:324
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnablePME" | findstr "HKEY"
  2⤵
  PID:4060
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:752
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnablePME"
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePowerManagement" | findstr "HKEY"
  2⤵
  PID:4436
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePowerManagement"
    3⤵
    PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnablePowerManagement" | findstr "HKEY"
  2⤵
  PID:4260
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnablePowerManagement"
    3⤵
    PID:2296
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableSavePowerNow" | findstr "HKEY"
  2⤵
  PID:4792
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableSavePowerNow"
    3⤵
    PID:3332
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableSavePowerNow" | findstr "HKEY"
  2⤵
  PID:1636
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableSavePowerNow"
    3⤵
    PID:3360
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableWakeOnLan" | findstr "HKEY"
  2⤵
  PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableWakeOnLan"
    3⤵
    PID:1896
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableWakeOnLan" | findstr "HKEY"
  2⤵
  PID:4788
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableWakeOnLan"
    3⤵
    PID:3144
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "FlowControl" | findstr "HKEY"
  2⤵
  PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "FlowControl"
    3⤵
    PID:1740
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*FlowControl" | findstr "HKEY"
  2⤵
  PID:1324
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*FlowControl"
    3⤵
    PID:3876
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "FlowControlCap" | findstr "HKEY"
  2⤵
  PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "FlowControlCap"
    3⤵
    PID:3008
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*FlowControlCap" | findstr "HKEY"
  2⤵
  PID:4448
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*FlowControlCap"
    3⤵
    PID:3096
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GigaLite" | findstr "HKEY"
  2⤵
  PID:2304
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:876
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GigaLite"
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*GigaLite" | findstr "HKEY"
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*GigaLite"
    3⤵
    PID:1120
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GPPSW" | findstr "HKEY"
  2⤵
  PID:836
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GPPSW"
    3⤵
    PID:5116
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*GPPSW" | findstr "HKEY"
  2⤵
  PID:3716
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*GPPSW"
    3⤵
    PID:4464
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GTKOffloadEnable" | findstr "HKEY"
  2⤵
  PID:3652
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GTKOffloadEnable"
    3⤵
    PID:528
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*GTKOffloadEnable" | findstr "HKEY"
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*GTKOffloadEnable"
    3⤵
    PID:904
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "InactivePs" | findstr "HKEY"
  2⤵
  PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "InactivePs"
    3⤵
    PID:3936
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*InactivePs" | findstr "HKEY"
  2⤵
  PID:2192
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*InactivePs"
    3⤵
    PID:3816
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LargeSendOffload" | findstr "HKEY"
  2⤵
  PID:3628
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LargeSendOffload"
    3⤵
    PID:3708
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LargeSendOffload" | findstr "HKEY"
  2⤵
  PID:2416
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LargeSendOffload"
    3⤵
    PID:4224
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LargeSendOffloadJumboCombo" | findstr "HKEY"
  2⤵
  PID:4968
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LargeSendOffloadJumboCombo"
    3⤵
    PID:1128
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LargeSendOffloadJumboCombo" | findstr "HKEY"
  2⤵
  PID:2916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LargeSendOffloadJumboCombo"
    3⤵
    PID:3208
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LogLevelWarn" | findstr "HKEY"
  2⤵
  PID:5108
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LogLevelWarn"
    3⤵
    PID:3764
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LogLevelWarn" | findstr "HKEY"
  2⤵
  PID:4848
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LogLevelWarn"
    3⤵
    PID:4220
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV1IPv4" | findstr "HKEY"
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV1IPv4"
    3⤵
    PID:1684
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LsoV1IPv4" | findstr "HKEY"
  2⤵
  PID:2764
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LsoV1IPv4"
    3⤵
    PID:1524
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv4" | findstr "HKEY"
  2⤵
  PID:2836
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv4"
    3⤵
    PID:4568
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LsoV2IPv4" | findstr "HKEY"
  2⤵
  PID:2912
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LsoV2IPv4"
    3⤵
    PID:4856
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv6" | findstr "HKEY"
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv6"
    3⤵
    PID:4384
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LsoV2IPv6" | findstr "HKEY"
  2⤵
  PID:3400
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*LsoV2IPv6"
    3⤵
    PID:5032
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "MasterSlave" | findstr "HKEY"
  2⤵
  PID:1532
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "MasterSlave"
    3⤵
    PID:1528
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*MasterSlave" | findstr "HKEY"
  2⤵
  PID:3916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*MasterSlave"
    3⤵
    PID:4116
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ModernStandbyWoLMagicPacket" | findstr "HKEY"
  2⤵
  PID:984
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ModernStandbyWoLMagicPacket"
    3⤵
    PID:324
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ModernStandbyWoLMagicPacket" | findstr "HKEY"
  2⤵
  PID:4484
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ModernStandbyWoLMagicPacket"
    3⤵
    PID:2132
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "MPC" | findstr "HKEY"
  2⤵
  PID:3432
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "MPC"
    3⤵
    PID:3744
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*MPC" | findstr "HKEY"
  2⤵
  PID:4972
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*MPC"
    3⤵
    PID:4552
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "NicAutoPowerSaver" | findstr "HKEY"
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "NicAutoPowerSaver"
    3⤵
    PID:2452
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*NicAutoPowerSaver" | findstr "HKEY"
  2⤵
  PID:3264
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*NicAutoPowerSaver"
    3⤵
    PID:2588
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Node" | findstr "HKEY"
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Node"
    3⤵
    PID:2984
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Node" | findstr "HKEY"
  2⤵
  PID:4720
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Node"
    3⤵
    PID:3144
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "NSOffloadEnable" | findstr "HKEY"
  2⤵
  PID:3272
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "NSOffloadEnable"
    3⤵
    PID:1616
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*NSOffloadEnable" | findstr "HKEY"
  2⤵
  PID:396
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*NSOffloadEnable"
    3⤵
    PID:1852
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PacketCoalescing" | findstr "HKEY"
  2⤵
  PID:3060
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PacketCoalescing"
    3⤵
    PID:3704
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PacketCoalescing" | findstr "HKEY"
  2⤵
  PID:4156
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PacketCoalescing"
    3⤵
    PID:4168
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "rem" | findstr "HKEY"
  2⤵
  PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "rem"
    3⤵
    PID:2184
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*rem" | findstr "HKEY"
  2⤵
  PID:4916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*rem"
    3⤵
    PID:3316
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Offload" | findstr "HKEY"
  2⤵
  PID:3128
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Offload"
    3⤵
    PID:1036
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Offload" | findstr "HKEY"
  2⤵
  PID:4816
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Offload"
    3⤵
    PID:4860
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMARPOffload" | findstr "HKEY"
  2⤵
  PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMARPOffload"
    3⤵
    PID:528
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMARPOffload" | findstr "HKEY"
  2⤵
  PID:5068
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMARPOffload"
    3⤵
    PID:4756
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "rem" | findstr "HKEY"
  2⤵
  PID:1152
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "rem"
    3⤵
    PID:2092
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*rem" | findstr "HKEY"
  2⤵
  PID:3784
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*rem"
    3⤵
    PID:3524
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Offload" | findstr "HKEY"
  2⤵
  PID:2844
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "Offload"
    3⤵
    PID:3768
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Offload" | findstr "HKEY"
  2⤵
  PID:3628
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*Offload"
    3⤵
    PID:64
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMNSOffload" | findstr "HKEY"
  2⤵
  PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMNSOffload"
    3⤵
    PID:4964
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMNSOffload" | findstr "HKEY"
  2⤵
  PID:3732
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMNSOffload"
    3⤵
    PID:3420
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMWiFiRekeyOffload" | findstr "HKEY"
  2⤵
  PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PMWiFiRekeyOffload"
    3⤵
    PID:3908
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMWiFiRekeyOffload" | findstr "HKEY"
  2⤵
  PID:620
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMWiFiRekeyOffload"
    3⤵
    PID:660
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerDownPll" | findstr "HKEY"
  2⤵
  PID:4852
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerDownPll"
    3⤵
    PID:4708
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PowerDownPll" | findstr "HKEY"
  2⤵
  PID:4896
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PowerDownPll"
    3⤵
    PID:2968
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerSaveMode" | findstr "HKEY"
  2⤵
  PID:4608
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerSaveMode"
    3⤵
    PID:2196
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PowerSaveMode" | findstr "HKEY"
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PowerSaveMode"
    3⤵
    PID:4496
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerSavingMode" | findstr "HKEY"
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerSavingMode"
    3⤵
    PID:3044
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PowerSavingMode" | findstr "HKEY"
  2⤵
  PID:692
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PowerSavingMode"
    3⤵
    PID:4264
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PriorityVLANTag" | findstr "HKEY"
  2⤵
  PID:4392
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PriorityVLANTag"
    3⤵
    PID:5032
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PriorityVLANTag" | findstr "HKEY"
  2⤵
  PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PriorityVLANTag"
    3⤵
    PID:2632
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ReduceSpeedOnPowerDown" | findstr "HKEY"
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ReduceSpeedOnPowerDown"
    3⤵
    PID:2020
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ReduceSpeedOnPowerDown" | findstr "HKEY"
  2⤵
  PID:3488
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ReduceSpeedOnPowerDown"
    3⤵
    PID:324
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "S5WakeOnLan" | findstr "HKEY"
  2⤵
  PID:1796
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3336
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "S5WakeOnLan"
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*S5WakeOnLan" | findstr "HKEY"
  2⤵
  PID:3540
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*S5WakeOnLan"
    3⤵
    PID:3744
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "SavePowerNowEnabled" | findstr "HKEY"
  2⤵
  PID:3788
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "SavePowerNowEnabled"
    3⤵
    PID:4472
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*SavePowerNowEnabled" | findstr "HKEY"
  2⤵
  PID:4972
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*SavePowerNowEnabled"
    3⤵
    PID:2908
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "SelectiveSuspend" | findstr "HKEY"
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "SelectiveSuspend"
    3⤵
    PID:4004
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*SelectiveSuspend" | findstr "HKEY"
  2⤵
  PID:3264
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*SelectiveSuspend"
    3⤵
    PID:2984
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "SipsEnabled" | findstr "HKEY"
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "SipsEnabled"
    3⤵
    PID:3624
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*SipsEnabled" | findstr "HKEY"
  2⤵
  PID:4720
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*SipsEnabled"
    3⤵
    PID:2260
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "uAPSDSupport" | findstr "HKEY"
  2⤵
  PID:3272
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "uAPSDSupport"
    3⤵
    PID:4796
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*uAPSDSupport" | findstr "HKEY"
  2⤵
  PID:396
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*uAPSDSupport"
    3⤵
    PID:4536
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ULPMode" | findstr "HKEY"
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ULPMode"
    3⤵
    PID:4996
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ULPMode" | findstr "HKEY"
  2⤵
  PID:3096
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ULPMode"
    3⤵
    PID:876
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnDisconnect" | findstr "HKEY"
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnDisconnect"
    3⤵
    PID:4404
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnDisconnect" | findstr "HKEY"
  2⤵
  PID:4524
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnDisconnect"
    3⤵
    PID:632
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnLink" | findstr "HKEY"
  2⤵
  PID:5104
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnLink"
    3⤵
    PID:4408
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnLink" | findstr "HKEY"
  2⤵
  PID:2564
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnLink"
    3⤵
    PID:2420
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnMagicPacket" | findstr "HKEY"
  2⤵
  PID:4992
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnMagicPacket"
    3⤵
    PID:4768
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnMagicPacket" | findstr "HKEY"
  2⤵
  PID:2116
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnMagicPacket"
    3⤵
    PID:4176
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnPattern" | findstr "HKEY"
  2⤵
  PID:904
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnPattern"
    3⤵
    PID:844
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnPattern" | findstr "HKEY"
  2⤵
  PID:4800
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnPattern"
    3⤵
    PID:3092
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnSlot" | findstr "HKEY"
  2⤵
  PID:3816
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnSlot"
    3⤵
    PID:3480
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnSlot" | findstr "HKEY"
  2⤵
  PID:3080
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnSlot"
    3⤵
    PID:4912
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeUpModeCap" | findstr "HKEY"
  2⤵
  PID:4876
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeUpModeCap"
    3⤵
    PID:3680
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeUpModeCap" | findstr "HKEY"
  2⤵
  PID:2408
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeUpModeCap"
    3⤵
    PID:4492
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WoWLANLPSLevel" | findstr "HKEY"
  2⤵
  PID:4104
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WoWLANLPSLevel"
    3⤵
    PID:440
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WoWLANLPSLevel" | findstr "HKEY"
  2⤵
  PID:4920
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WoWLANLPSLevel"
    3⤵
    PID:4928
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WoWLANS5Support" | findstr "HKEY"
  2⤵
  PID:4812
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WoWLANS5Support"
    3⤵
    PID:1876
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WoWLANS5Support" | findstr "HKEY"
  2⤵
  PID:1160
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WoWLANS5Support"
    3⤵
    PID:3212
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh int ip show interfaces | findstr [0-9]
  2⤵
  PID:2044
- - C:\Windows\system32\netsh.exe
    netsh int ip show interfaces
    3⤵
    PID:1380
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:2240
- C:\Windows\system32\netsh.exe
  netsh int ip set interface 1 routerdiscovery=disabled store=persistent
  2⤵
  PID:4608
- C:\Windows\system32\netsh.exe
  netsh int ip set interface 3 routerdiscovery=disabled store=persistent
  2⤵
  PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get username /value | find "="
  2⤵
  PID:2516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get username /value
    3⤵
    PID:2556
- - C:\Windows\system32\find.exe
    find "="
    3⤵
    PID:4584
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin \AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK"
  2⤵
  - Views/modifies file attributes
  PID:2596
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin \AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail"
  2⤵
  - Views/modifies file attributes
  PID:1452
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin \AppData\Roaming\Microsoft\Windows\SendTo\Documents.mydocs"
  2⤵
  - Views/modifies file attributes
  PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture""
  2⤵
  PID:228
- - C:\Windows\system32\reg.exe
    reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture""
    3⤵
    PID:1832
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},3" /t REG_DWORD /d "0" /f
  2⤵
  PID:1856
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},4" /t REG_DWORD /d "0" /f
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render""
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render""
    3⤵
    PID:3312
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},3" /t REG_DWORD /d "0" /f
  2⤵
  PID:264
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\Properties" /v "{b3f8fa53-0004-438e-9003-51a46e139bfc},4" /t REG_DWORD /d "0" /f
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture""
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture""
    3⤵
    PID:3336
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},5" /t REG_DWORD /d "1" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{1b5c2483-0839-4523-ba87-95f89d27bd8c},3" /t REG_BINARY /d "030044CD0100000000000000" /f
  2⤵
  PID:3744
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{73ae880e-8258-4e57-b85f-7daa6b7d5ef0},3" /t REG_BINARY /d "030044CD0100000001000000" /f
  2⤵
  PID:4436
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{9c00eeed-edce-4cd8-ae08-cb05e8ef57a0},3" /t REG_BINARY /d "030044CD0100000004000000" /f
  2⤵
  PID:3540
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{fc52a749-4be9-4510-896e-966ba6525980},3" /t REG_BINARY /d "0B0044CD0100000000000000" /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{ae7f0b2a-96fc-493a-9247-a019f1f701e1},3" /t REG_BINARY /d "0300BC5B0100000001000000" /f
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{1864a4e0-efc1-45e6-a675-5786cbf3b9f0},4" /t REG_BINARY /d "030044CD0100000000000000" /f
  2⤵
  PID:3788
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\FxProperties" /v "{61e8acb9-f04f-4f40-a65f-8f49fab3ba10},4" /t REG_BINARY /d "030044CD0100000050000000" /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\Properties" /v "{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0" /t REG_BINARY /d "4100FE6901000000FEFF020080BB000000DC05000800200016002000030000000300000000001000800000AA00389B71" /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\Properties" /v "{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},1" /t REG_BINARY /d "41008EC901000000A086010000000000" /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\Properties" /v "{3d6e1656-2e50-4c4c-8d85-d0acae3c6c68},3" /t REG_BINARY /d "4100020001000000FEFF020080BB000000DC05000800200016002000030000000300000000001000800000AA00389B71" /f
  2⤵
  PID:1500
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\Properties" /v "{624f56de-fd24-473e-814a-de40aacaed16},3" /f
  2⤵
  PID:1936
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{0bf0f2b2-c8ac-4390-9873-0cbdcf881972}\Properties" /v "{3d6e1656-2e50-4c4c-8d85-d0acae3c6c68},2" /f
  2⤵
  PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render""
  2⤵
  PID:2396
- - C:\Windows\system32\reg.exe
    reg query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render""
    3⤵
    PID:5028
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},5" /t REG_DWORD /d "1" /f
  2⤵
  PID:3264
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{1b5c2483-0839-4523-ba87-95f89d27bd8c},3" /t REG_BINARY /d "030044CD0100000000000000" /f
  2⤵
  PID:2720
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{73ae880e-8258-4e57-b85f-7daa6b7d5ef0},3" /t REG_BINARY /d "030044CD0100000001000000" /f
  2⤵
  PID:2280
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{9c00eeed-edce-4cd8-ae08-cb05e8ef57a0},3" /t REG_BINARY /d "030044CD0100000004000000" /f
  2⤵
  PID:684
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{fc52a749-4be9-4510-896e-966ba6525980},3" /t REG_BINARY /d "0B0044CD0100000000000000" /f
  2⤵
  PID:808
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{ae7f0b2a-96fc-493a-9247-a019f1f701e1},3" /t REG_BINARY /d "0300BC5B0100000001000000" /f
  2⤵
  PID:1816
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{1864a4e0-efc1-45e6-a675-5786cbf3b9f0},4" /t REG_BINARY /d "030044CD0100000000000000" /f
  2⤵
  PID:1196
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\FxProperties" /v "{61e8acb9-f04f-4f40-a65f-8f49fab3ba10},4" /t REG_BINARY /d "030044CD0100000050000000" /f
  2⤵
  PID:1324
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\Properties" /v "{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0" /t REG_BINARY /d "4100FE6901000000FEFF020080BB000000DC05000800200016002000030000000300000000001000800000AA00389B71" /f
  2⤵
  PID:3876
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\Properties" /v "{3d6e1656-2e50-4c4c-8d85-d0acae3c6c68},3" /t REG_BINARY /d "4100020001000000FEFF020080BB000000DC05000800200016002000030000000300000000001000800000AA00389B71" /f
  2⤵
  PID:4164
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\Properties" /v "{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},1" /t REG_BINARY /d "41008EC901000000A086010000000000" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\Properties" /v "{624f56de-fd24-473e-814a-de40aacaed16},3" /f
  2⤵
  PID:3704
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c27e448f-4e64-46bd-9147-d5102ef70fce}\Properties" /v "{3d6e1656-2e50-4c4c-8d85-d0acae3c6c68},2" /f
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_USERS" | findstr /r /x /c:"HKEY_USERS\\S-.*" /c:"HKEY_USERS\\AME_UserHive_[^_]*"
  2⤵
  PID:4168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_USERS"
    3⤵
    PID:4448
- - C:\Windows\system32\findstr.exe
    findstr /r /x /c:"HKEY_USERS\\S-.*" /c:"HKEY_USERS\\AME_UserHive_[^_]*"
    3⤵
    PID:1200
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-19"
  2⤵
  PID:3856
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:2184
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-20"
  2⤵
  PID:4156
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:3096
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-21-1529757233-3489015626-3409890339-1000"
  2⤵
  PID:1120
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoP -C "New-PSDrive HKU Registry HKEY_USERS; New-ItemProperty -Path 'HKU:\S-1-5-21-1529757233-3489015626-3409890339-1000\AppEvents\Schemes' -Name '(Default)' -Value '.None' -Force | Out-Null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoP -C "New-PSDrive HKU Registry HKEY_USERS; Get-ChildItem -Path 'HKU:\S-1-5-21-1529757233-3489015626-3409890339-1000\AppEvents\Schemes\Apps' | Get-ChildItem | Get-ChildItem | Where-Object {$_.PSChildName -eq '.Current'} | Set-ItemProperty -Name '(Default)' -Value ''"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes"
  2⤵
  PID:2092
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-18"
  2⤵
  PID:3796
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c PowerShell -NoP -C "Get-PhysicalDisk | ForEach-Object { $physicalDisk = $_ ; $physicalDisk | Get-Disk | Get-Partition | Where-Object { $_.DriveLetter -eq 'C'} | Select-Object @{n='MediaType';e={$physicalDisk.MediaType}}}"
  2⤵
  PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoP -C "Get-PhysicalDisk | ForEach-Object { $physicalDisk = $_ ; $physicalDisk | Get-Disk | Get-Partition | Where-Object { $_.DriveLetter -eq 'C'} | Select-Object @{n='MediaType';e={$physicalDisk.MediaType}}}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:968
- C:\Windows\system32\taskkill.exe
  taskkill /f /im mobsync.exe
  2⤵
  - Kills process with taskkill
  PID:4928
- C:\Windows\system32\taskkill.exe
  taskkill /f /im mobsync.exe
  2⤵
  - Kills process with taskkill
  PID:4920
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /sc ONLOGON /ru "nt authority\system" /tn "\Atlas\Auto-Cleaner" /tr "C:\Windows\AtlasModules\Scripts\Auto-Cleaner.cmd" /delay 0000:30
  2⤵
  - Creates scheduled task(s)
  PID:636

C:\Windows\system32\findstr.exe
findstr "HKEY"
1⤵
PID:1660

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EnableEDT"
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
40091a0660e3f9854b12d266a2807163

SHA1
4bd785361b0e1d73c12be8cec82c7d7ead067779

SHA256
954e15b5e3d4e7fd0875ce18c4c3693efadbdc431591c9524231200a2787254d

SHA512
516b33d306890bc93a7cc080a0c5a8558b20e6ad85bad564b327ac05f1a60bd4406b34296d26ee0926340c63b814eddc4bc968c52fe647180b452da0a026077d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
896be636985cdaa136f7f143d6129321

SHA1
2f7234eaf60c055623a73f193438a1a694951c1c

SHA256
b5f67061bfe7dd97cddb1b69ca6c68aa0778b2aa2669a8c9a1fdc88c125facad

SHA512
a0d4d7f588e91be6d2c3e2d604351588175e8308d98615130d42992baf8efd44da7f142c5059364feab099376fc4748223ca9b16a8d5709a7a7339d41595a85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2745b025870ff77743f3ef7fbc988246

SHA1
f3beb4478fcfecf00ad8c8c5f9bb2a00b2f3ffc7

SHA256
d26a2b362840ea4a05b049ace896ce4e0d20e51c4f2fbe402f323404788f64ba

SHA512
27b4d9bd313cac94d1ed82246302227409034d8b8d50c674d06e60a2642fa627bd72ac2720aec70de7dbffade99229d0b99b89e8b7e786cb5eb904cb518d4a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jn1opspy.jkg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/968-189-0x000002AA49350000-0x000002AA49360000-memory.dmp

Filesize
64KB

Download
memory/968-184-0x000002AA49350000-0x000002AA49360000-memory.dmp

Filesize
64KB

Download
memory/968-192-0x000002AA49350000-0x000002AA49360000-memory.dmp

Filesize
64KB

Download
memory/968-191-0x000002AA49350000-0x000002AA49360000-memory.dmp

Filesize
64KB

Download
memory/968-190-0x000002AA49350000-0x000002AA49360000-memory.dmp

Filesize
64KB

Download
memory/968-186-0x000002AA49350000-0x000002AA49360000-memory.dmp

Filesize
64KB

Download
memory/968-187-0x000002AA647D0000-0x000002AA647FA000-memory.dmp

Filesize
168KB

Download
memory/968-188-0x000002AA647D0000-0x000002AA647F4000-memory.dmp

Filesize
144KB

Download
memory/968-185-0x000002AA49350000-0x000002AA49360000-memory.dmp

Filesize
64KB

Download
memory/1352-143-0x000001E36C650000-0x000001E36C660000-memory.dmp

Filesize
64KB

Download
memory/1352-144-0x000001E36C650000-0x000001E36C660000-memory.dmp

Filesize
64KB

Download
memory/1352-145-0x000001E36C650000-0x000001E36C660000-memory.dmp

Filesize
64KB

Download
memory/1352-142-0x000001E36F410000-0x000001E36F432000-memory.dmp

Filesize
136KB

Download
memory/4860-171-0x000001370D400000-0x000001370D410000-memory.dmp

Filesize
64KB

Download
memory/4860-168-0x000001370D400000-0x000001370D410000-memory.dmp

Filesize
64KB

Download